├── .gitignore ├── FridaLib-master ├── .gitignore ├── LICENSE ├── README.md ├── iOSFridaLib.js └── sample │ ├── iOS-app-hook.py │ ├── libFuncTest.js │ └── xCallStackSymbols.js ├── README.md ├── easy_frida_ios_tool.js ├── easy_frida_mac_tool.py ├── frida-mac ├── exec_frida.py ├── js │ └── app.js └── listprocess.js ├── frida-scripts-master ├── .gitignore ├── filesystem │ ├── NSFileManager.js │ ├── NSString.js │ └── NSUserDefaults.js ├── jailbreak_detection │ ├── disable_jbdetection.js │ └── jb_fileExistAtPath.js ├── keychain │ └── SecItem_monitor.js ├── misc │ └── alert.js ├── network │ └── NSURLRequest.js ├── pinning │ ├── SSLHandshake.js │ ├── afn_pinnning.js │ ├── boringssl_pinning.js │ ├── disable_sectrustEvaluate.js │ ├── nsurl_pinning.js │ ├── ssl_pinning.js │ ├── tls_12_pinning.js │ ├── tls_pinning.js │ ├── universal_pinning.js │ └── xamarin_pinning.js ├── sqlite │ └── libsqlite3_monitor.js └── touch_id │ └── touchid-bypass.js ├── frida-scripts ├── README.md ├── raptor_frida_ios_bypass1.js ├── raptor_frida_ios_bypass2.js ├── raptor_frida_ios_call.js ├── raptor_frida_ios_debug.js ├── raptor_frida_ios_enum.js ├── raptor_frida_ios_lowlevel1.js ├── raptor_frida_ios_lowlevel2.js ├── raptor_frida_ios_stalker.js ├── raptor_frida_ios_touchid.js └── raptor_frida_ios_trace.js ├── frida-snippets-master ├── README.md ├── gif │ ├── README.md │ └── intercept_open_chrome_android.gif └── scripts │ ├── FridaCodeGenerator.py │ ├── WIP_android_ipc.js │ ├── WIP_dump_dynamically_created_files.js │ ├── WIP_ios_app_info.js │ ├── WIP_unpack_64.js │ ├── android_proxy.js │ ├── check_for_native_calls.py │ ├── dump_dynamically_created_files.py │ ├── enable_remote_debugging.js │ ├── enumerateNativeMethods.js │ ├── exec_shell_cmd.py │ ├── extact_ipa.sh │ ├── how_to_access_inner_class_static_field.md │ ├── install_frida_server.sh │ ├── ios.md │ ├── ios_ssl_unpin.js │ ├── log_string_builders_and_string_compare.js │ ├── objc_ssl_unppining_helper.js │ ├── print_native_method_arguments.py │ ├── stalker.js │ ├── trace_class.js │ └── unity.js ├── frida-操作-使用.pdf ├── hooking.js ├── my-frida-scripts ├── ApiResolver.js ├── BasicCommand.js ├── ObjCmethodobserver.js ├── TestMonkey.js ├── URLWithString_.js ├── __handlers__ │ ├── UUSdpManager │ │ └── setupSdpHost_port_groupId_userNa_d653758f.js │ ├── XYLottieAnimationButton │ │ ├── .cxx_destruct.js │ │ ├── animationView.js │ │ ├── enableAutoAnimation.js │ │ ├── hideAnimationView.js │ │ ├── initComponent.js │ │ ├── initWithCoder_.js │ │ ├── initWithType_.js │ │ ├── layoutSubviews.js │ │ ├── limitSizeForButton.js │ │ ├── maskView.js │ │ ├── playAnimationManually.js │ │ ├── playAnimationWithAnimated_.js │ │ ├── removeTarget_action_forControlEvents_.js │ │ ├── setAnimationViewScale_.js │ │ ├── setAnimationView_.js │ │ ├── setEnableAutoAnimation_.js │ │ ├── setLimitSizeForButton_.js │ │ ├── setMaskView_.js │ │ ├── setSelected_.js │ │ ├── setType_.js │ │ ├── setWebAnimation_darkUrl_forState_c07ef5c6.js │ │ ├── setWebAnimation_forState_completion_.js │ │ ├── triggerAnimation_.js │ │ └── type.js │ ├── XYNoteLikeButton │ │ └── pointInside_withEvent_.js │ ├── XYRotatePlayerView │ │ ├── canLandscape.js │ │ ├── commInit.js │ │ ├── configLandScapeParentViewController_.js │ │ ├── handleDeviceOrientationDidChange_.js │ │ ├── setCanLandscape_.js │ │ ├── setShouldAutoLandscape_.js │ │ ├── shouldAutoLandscape.js │ │ ├── updateToFullScreen_.js │ │ ├── updateToFullScreen_direction_.js │ │ ├── viewActive.js │ │ └── viewInactive.js │ └── _TtCC12XYNoteModule17CommentEntityView10LikeButton │ │ ├── .cxx_destruct.js │ │ ├── initWithCoder_.js │ │ ├── initWithFrame_.js │ │ ├── initWithType_.js │ │ └── setAttributedTitle_forState_.js ├── app.js ├── frida_ios_trace.js ├── iOSAppAllClassesMethods Hooks.js ├── iOSApplicationList.py ├── ios-app-info.js └── raptor_frida_ios_autoIntercept.js └── testmaco.py /.gitignore: -------------------------------------------------------------------------------- 1 | .architect 2 | bootstrap.css 3 | bootstrap.js 4 | bootstrap.json 5 | bootstrap.jsonp 6 | build/ 7 | classic.json 8 | classic.jsonp 9 | ext/ 10 | modern.json 11 | modern.jsonp 12 | resources/sass/.sass-cache/ 13 | resources/.arch-internal-preview.css 14 | .arch-internal-preview.css 15 | .idea/ 16 | -------------------------------------------------------------------------------- /FridaLib-master/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store -------------------------------------------------------------------------------- /FridaLib-master/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 xia0 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /FridaLib-master/README.md: -------------------------------------------------------------------------------- 1 | # FridaLib 2 | iOS/android frida library for reversing 3 | 4 | ### Android 5 | 6 | #### funtions in androdFridaLib 7 | 8 | - backtrace : Print java call stack 9 | 10 | ```js 11 | function backtrace() 12 | ``` 13 | 14 | - java_single_hook : hook java class method and auto log args and return value 15 | 16 | ```js 17 | function java_single_hook(className, methd, callbackFunc) 18 | ``` 19 | 20 | - java_hook : hook java class all overload methods and auto log args and return value 21 | 22 | ```js 23 | function java_hook(className, func, callbackFunc) 24 | ``` 25 | 26 | - native_hook_symbol : hook native function by symbol 27 | 28 | ```js 29 | function native_hook_symbol(moduleName, funcName, onEnterFunc, onLeaveFunc) 30 | ``` 31 | 32 | - native_hook_address : hook native function by address 33 | 34 | ```js 35 | function native_hook_address(moduleName, funcAddr, onEnterFunc, onLeaveFunc) 36 | ``` 37 | 38 | - print_class_fields : print class object all fields 39 | 40 | ```js 41 | function print_class_fields(obj) 42 | ``` 43 | 44 | - bytes_to_string : byte data convert to java string 45 | 46 | ```js 47 | function bytes_to_string(data) 48 | ``` 49 | 50 | - string_to_bytes : string convert to byte data 51 | 52 | ```js 53 | function string_to_bytes(str) 54 | ``` 55 | 56 | - hook_register_natives : hook RegisterNatives in libart.so 57 | 58 | ```js 59 | function hook_register_natives() 60 | ``` 61 | 62 | #### sample 63 | 64 | some test script about app and service hook in android 65 | 66 | ### iOS 67 | 68 | #### funtions in iOSFridaLib 69 | 70 | - get_image_vm_slide : get image vm address slide 71 | 72 | ```js 73 | function get_image_vm_slide(modulePath) 74 | ``` 75 | 76 | - get_all_objc_class : get all ObjC class by image path 77 | 78 | ```js 79 | function get_all_objc_class(modulePath) 80 | ``` 81 | 82 | - get_all_class_methods : get all methods of a class 83 | 84 | ```js 85 | function get_all_class_methods(classname) 86 | ``` 87 | 88 | - get_info_form_address : get some info from addr 89 | 90 | ``` 91 | function get_info_form_address(address) 92 | ``` 93 | 94 | - find_symbol_from_address : find best match objc symbol from address 95 | 96 | ```js 97 | function find_symbol_from_address(modulePath,addr) 98 | ``` 99 | 100 | - backtrace 101 | 102 | - ```js 103 | function backtrace(onlyMainModule) 104 | ``` 105 | 106 | - xbacktrace : print a symbol call stack 107 | 108 | ```js 109 | function xbacktrace(context) 110 | ``` 111 | 112 | #### sample 113 | 114 | this is some test js script loaded into frida python script 115 | 116 | you can add your test js script similar to provided easily 117 | 118 | 119 | 120 | ### How to use 121 | 122 | you can refer to the sample 123 | 124 | 125 | 126 | ### Surpise 127 | 128 | this project is twitted by [@Mobile Security](https://twitter.com/mobilesecurity_) at https://twitter.com/mobilesecurity_/status/1172116516839546883 129 | 130 | emmmm, But it just a baby projet. Be glade that you make it grouth with me 131 | 132 | ### Reference 133 | 134 | - http://4ch12dy.site/2019/07/02/xia0CallStackSymbols/xia0CallStackSymbols/ 135 | - https://github.com/interference-security/frida-scripts 136 | - https://github.com/frida 137 | - https://github.com/iddoeldor/frida-snippets 138 | -------------------------------------------------------------------------------- /FridaLib-master/sample/iOS-app-hook.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import frida 3 | import sys 4 | import codecs 5 | import os 6 | import threading 7 | 8 | NAME_OR_BUNDLEID = "com.larksuite.feishu.inhouse" 9 | 10 | def do_hook(): 11 | return xCallStackSymbolsTest() 12 | 13 | def libFuncTest(): 14 | return load_js_from_file('./libFuncTest.js') 15 | 16 | def xCallStackSymbolsTest(): 17 | return load_js_from_file('./xCallStackSymbols.js') 18 | 19 | def load_js_from_file(js_path): 20 | script_dir = os.path.dirname(os.path.realpath(__file__)) 21 | lib_path = os.path.join(script_dir, '../iOSFridaLib.js') 22 | lib_source = '' 23 | with codecs.open(lib_path, 'r', 'utf-8') as f: 24 | lib_source = lib_source + f.read() 25 | 26 | js_path = os.path.join(script_dir, js_path) 27 | js_source = '' 28 | with codecs.open(js_path, 'r', 'utf-8') as f: 29 | js_source = js_source + f.read() 30 | return lib_source+js_source 31 | 32 | def on_message(message, data): 33 | if message['type'] == 'send': 34 | print("[*] {0}".format(message['payload'])) 35 | else: 36 | print(message) 37 | 38 | def get_applications(device): 39 | try: 40 | applications = device.enumerate_applications() 41 | except Exception as e: 42 | print("Failed to enumerate applications: %s" % e) 43 | return 44 | 45 | return applications 46 | 47 | def get_usb_iphone(): 48 | Type = 'usb' 49 | if int(frida.__version__.split('.')[0]) < 12: 50 | Type = 'tether' 51 | 52 | device_manager = frida.get_device_manager() 53 | changed = threading.Event() 54 | 55 | def on_changed(): 56 | changed.set() 57 | 58 | device_manager.on('changed', on_changed) 59 | 60 | device = None 61 | while device is None: 62 | devices = [dev for dev in device_manager.enumerate_devices() if dev.type == Type] 63 | if len(devices) == 0: 64 | print('Waiting for USB device...') 65 | changed.wait() 66 | else: 67 | device = devices[0] 68 | 69 | device_manager.off('changed', on_changed) 70 | 71 | return device 72 | 73 | if __name__ == '__main__': 74 | try: 75 | device = get_usb_iphone() 76 | bundle_identifier = '' 77 | name_or_bundleid = NAME_OR_BUNDLEID 78 | print("[+] connect frida server successs") 79 | for application in get_applications(device): 80 | if name_or_bundleid == application.identifier or name_or_bundleid == application.name: 81 | pid = application.pid 82 | display_name = application.name 83 | bundle_identifier = application.identifier 84 | print("[*] found app for bundleid:{}".format(bundle_identifier)) 85 | 86 | if bundle_identifier == '': 87 | print("[-] not found app by bundleid:{}".format(bundle_identifier)) 88 | exit(1) 89 | 90 | try: 91 | if not pid: 92 | pid = device.spawn([bundle_identifier]) 93 | session = device.attach(pid) 94 | device.resume(pid) 95 | else: 96 | session = device.attach(pid) 97 | 98 | print("[+] attach app success for pid:{}".format(pid)) 99 | 100 | script = session.create_script(do_hook()) 101 | script.on("message", on_message) 102 | script.load() 103 | sys.stdin.read() 104 | except Exception as e: 105 | print(e) 106 | 107 | except KeyboardInterrupt: 108 | sys.exit(0) 109 | -------------------------------------------------------------------------------- /FridaLib-master/sample/libFuncTest.js: -------------------------------------------------------------------------------- 1 | if (ObjC.available) 2 | { 3 | try 4 | { 5 | //hook - ZYOperationView operationCopyLink 6 | var className = "UUMbsSDKManager"; 7 | var funcName = "+ login:block:"; 8 | var hook = eval('ObjC.classes.' + className + '["' + funcName + '"]'); 9 | 10 | Interceptor.attach(hook.implementation, { 11 | onEnter: function(args) { 12 | // args[0] is self 13 | // args[1] is selector (SEL "sendMessageWithText:") 14 | // args[2] holds the first function argument, an NSString 15 | 16 | var mainPath = ObjC.classes.NSBundle.mainBundle().executablePath().UTF8String(); 17 | XLOG(mainPath) 18 | 19 | var slide = get_image_vm_slide(mainPath) 20 | 21 | XLOG(slide) 22 | 23 | } 24 | }); 25 | } 26 | catch(err) 27 | { 28 | console.log("[!] Exception2: " + err.message); 29 | } 30 | } 31 | else 32 | { 33 | console.log("[-] Objective-C Runtime is not available!"); 34 | } 35 | -------------------------------------------------------------------------------- /FridaLib-master/sample/xCallStackSymbols.js: -------------------------------------------------------------------------------- 1 | if (ObjC.available) 2 | { 3 | try 4 | { 5 | //hook - ZYOperationView operationCopyLink 6 | // var className = "ZYMediaDownloadHelper"; 7 | // var funcName = "+ downloadMediaUrl:isVideo:progress:finishBlock:"; 8 | var className = "UULoadManger"; 9 | var funcName = "+ delayHandleMethod"; 10 | var hook = eval('ObjC.classes.' + className + '["' + funcName + '"]'); 11 | 12 | Interceptor.attach(hook.implementation, { 13 | onEnter: function(args) { 14 | // args[0] is self 15 | // args[1] is selector (SEL "sendMessageWithText:") 16 | // args[2] holds the first function argument, an NSString 17 | 18 | // just call [NSThread callStackSymbols] 19 | var threadClass = ObjC.classes.NSThread 20 | var symbols = threadClass["+ callStackSymbols"]() 21 | XLOG(symbols) 22 | 23 | // call xCallStackSymbols 24 | xbacktrace(this.context); 25 | } 26 | }); 27 | } 28 | catch(err) 29 | { 30 | console.log("[!] Exception2: " + err.message); 31 | } 32 | } 33 | else 34 | { 35 | console.log("[-] Objective-C Runtime is not available!"); 36 | } -------------------------------------------------------------------------------- /easy_frida_mac_tool.py: -------------------------------------------------------------------------------- 1 | import frida 2 | import sys 3 | import codecs 4 | 5 | 6 | # 加载js文件 7 | def _load_js_file(filename): 8 | with codecs.open(filename, "r", "utf-8") as f: 9 | source = f.read() 10 | return source 11 | 12 | def on_message(message, data): 13 | print("[{}] => {}".format(message, data)) 14 | 15 | 16 | def main(target_process): 17 | session = frida.attach(target_process) 18 | script_source = _load_js_file("frida-mac/listprocess.js") 19 | script = session.create_script(script_source) 20 | script.on("message", on_message) 21 | script.load() 22 | print("[!] Ctrl+D or Ctrl+Z to detach from instrumented program.\n\n") 23 | sys.stdin.read() 24 | session.detach() 25 | 26 | 27 | if __name__ == "__main__": 28 | main("Safari") 29 | -------------------------------------------------------------------------------- /frida-mac/exec_frida.py: -------------------------------------------------------------------------------- 1 | import threading 2 | import frida 3 | import codecs 4 | import os 5 | from exec_tool import Logger 6 | 7 | # 根目录 8 | root_dir = os.path.dirname(os.path.realpath(__file__)) 9 | # js脚本目录 10 | script_dir = os.path.join(root_dir, "js/") 11 | # App.js文件 12 | APP_JS = os.path.join(script_dir, "app.js") 13 | 14 | # 获取第一个USB连接的设备 15 | def get_usb_iphone(): 16 | dManger = frida.get_device_manager() 17 | changed = threading.Event() 18 | 19 | def on_changed(): 20 | changed.set() 21 | 22 | dManger.on("changed", on_changed) 23 | device = None 24 | while device is None: 25 | print(dManger.enumerate_devices()) 26 | devices = [dev for dev in dManger.enumerate_devices() if dev.type == "usb"] 27 | if len(devices) == 0: 28 | Logger.green("✅ Writing for USB device...") 29 | changed.wait() 30 | else: 31 | # print("✅ 设备列表:\n{}".format(dManger.enumerate_devices())) 32 | device = devices[0] 33 | dManger.off("changed", on_changed) 34 | return device 35 | 36 | 37 | # 列举手机的进程信息 38 | def list_runing_process(): 39 | device = frida.get_usb_device() 40 | processes = device.enumerate_processes() 41 | processes.sort(key=lambda item: item.pid) 42 | for process in processes: 43 | print("%-10s\t%s" % (str(process.pid), process.name)) 44 | 45 | 46 | # 加载js文件 47 | def _load_js_file(session, filename): 48 | source = "" 49 | with codecs.open(filename, "r", "utf-8") as f: 50 | source = source + f.read() 51 | script = session.create_script(source) 52 | # script.on('message', on_message) 53 | script.load() 54 | return script 55 | 56 | 57 | def listApplicationDir(args): 58 | device = frida.get_usb_device() 59 | Logger.green("✅ 设备信息:\n{}\n".format(device)) 60 | 61 | Logger.green("✅ 应用安装信息:\n") 62 | session = device.attach("SpringBoard") 63 | script = _load_js_file(session, APP_JS) 64 | apps = script.exports.installed() 65 | for index in range(len(apps)): 66 | item = apps[index] 67 | data_path = "-" 68 | if len(item["dataPath"]): 69 | data_path = item["dataPath"] 70 | vsa_path = item["vsaPath"] 71 | if vsa_path == "true": 72 | vsa_path = "沙箱App" 73 | else: 74 | vsa_path = "" 75 | print( 76 | "#{}【{}】<{}> {}".format( 77 | Logger.white("{}".format(index)), 78 | Logger.red(item["displayName"]), 79 | Logger.cyan(item["bundleIdentifier"]), 80 | Logger.green(vsa_path), 81 | ) 82 | ) 83 | print("{}".format(Logger.blue(item["bundlePath"][8:]))) 84 | print("{}".format(Logger.blue(data_path[8:]))) 85 | print("{}\n".format(Logger.blue(item["executablePath"][8:]))) 86 | session.detach() 87 | 88 | 89 | if __name__ == "__main__": 90 | listApplicationDir("") 91 | # list_runing_process() 92 | -------------------------------------------------------------------------------- /frida-mac/js/app.js: -------------------------------------------------------------------------------- 1 | 'use strict'; 2 | 3 | rpc.exports = { 4 | add(a, b) { 5 | return a + b; 6 | }, 7 | sub(a, b) { 8 | return new Promise(resolve => { 9 | setTimeout(() => { 10 | resolve(a - b); 11 | }, 100); 12 | }); 13 | }, 14 | alert(title, message) { 15 | const UIAlertController = ObjC.classes.UIAlertController; 16 | const UIAlertAction = ObjC.classes.UIAlertAction; 17 | const UIApplication = ObjC.classes.UIApplication; 18 | var handler = new ObjC.Block({ 19 | retType: 'void', 20 | argTypes: ['object'], 21 | implementation: function() {} 22 | }); 23 | ObjC.schedule(ObjC.mainQueue, function() { 24 | var alert = UIAlertController.alertControllerWithTitle_message_preferredStyle_(title, message, 1); 25 | var defaultAction = UIAlertAction.actionWithTitle_style_handler_('OK', 0, handler); 26 | alert.addAction_(defaultAction); 27 | UIApplication.sharedApplication().keyWindow().rootViewController().presentViewController_animated_completion_(alert, true, NULL); 28 | }) 29 | }, 30 | installed() { 31 | var ws = ObjC.classes.LSApplicationWorkspace.defaultWorkspace(); 32 | var apps = ws.allInstalledApplications(); 33 | var result = []; 34 | for (var i = 0; i < apps.count(); i++) { 35 | var proxy = apps.objectAtIndex_(i); 36 | if(proxy.applicationType().toString() == "System") { 37 | continue; 38 | } 39 | var out = {}; 40 | out["displayName"] = proxy.localizedName().toString(); 41 | out["bundleIdentifier"] = proxy.bundleIdentifier().toString(); 42 | out["bundlePath"] = proxy.bundleURL().toString(); 43 | out["dataPath"] = [proxy.dataContainerURL(), ''].join('Documents'); 44 | out["executablePath"] = [proxy.bundleURL().toString(), proxy.bundleExecutable().toString()].join(''); 45 | out["vsaPath"] = "NO"; 46 | const vsaPath = out["bundlePath"].slice(8) + 'emmlib.framework/emmlib'; 47 | var mgr = ObjC.classes.NSFileManager.defaultManager(); 48 | const isExitVsa = mgr.fileExistsAtPath_(vsaPath).toString(); 49 | out["vsaPath"] = isExitVsa; 50 | result.push(out); 51 | } 52 | return result; 53 | } 54 | }; -------------------------------------------------------------------------------- /frida-mac/listprocess.js: -------------------------------------------------------------------------------- 1 | printClasses: function () { 2 | var classes = ObjC.classes; 3 | for (var i = 0; i < classes.length; i++) { 4 | console.log(classes[i].toString()); 5 | } 6 | } 7 | 8 | 9 | const appWillFinishLaunching = 10 | ObjC.classes.NSApplicationDelegate["- applicationWillFinishLaunching:"]; 11 | Interceptor.attach(appWillFinishLaunching.implementation, { 12 | onEnter(args) { 13 | // As this is an Objective-C method, the argument s are as follows: 14 | // 0. 'self' 15 | // 1. The selector (applicationWillFinishLaunching:) 16 | // 2. The first argument to this method 17 | const notification = new ObjC.Object(args[2]); 18 | 19 | // Convert it to a JS string and log it 20 | const notificationStr = notification.absoluteString().toString(); 21 | console.log( 22 | "Will finish launching with notification: " + notificationStr 23 | ); 24 | }, 25 | }); 26 | -------------------------------------------------------------------------------- /frida-scripts-master/.gitignore: -------------------------------------------------------------------------------- 1 | .swp 2 | -------------------------------------------------------------------------------- /frida-scripts-master/filesystem/NSFileManager.js: -------------------------------------------------------------------------------- 1 | if(ObjC.available) { 2 | for(var className in ObjC.classes) { 3 | if (ObjC.classes.hasOwnProperty(className)) { 4 | if(className == "NSFileManager") { 5 | send("Found target class : " + className); 6 | 7 | var hook = ObjC.classes.NSFileManager["- createFileAtPath:contents:attributes:"]; 8 | Interceptor.attach(hook.implementation, { 9 | onEnter: function(args) { 10 | var obj = ObjC.Object(args[2]); 11 | send("[+][NSFileManager] create File at: " + obj.toString()); 12 | 13 | var obj = ObjC.Object(args[3]); 14 | var string = ObjC.classes.NSString.alloc(); 15 | send("\t- Content : " + string.initWithData_encoding_(obj,4)); 16 | 17 | var obj = ObjC.Object(args[4]); 18 | send("\t- Attributes : " + obj.toString()); 19 | } 20 | }); 21 | var hook = ObjC.classes.NSFileManager["- copyItemAtPath:toPath:error:"]; 22 | Interceptor.attach(hook.implementation, { 23 | onEnter: function(args) { 24 | var obj = ObjC.Object(args[2]); 25 | send("[+][NSFileManager] copy File at: " + obj.toString()); 26 | 27 | var obj = ObjC.Object(args[3]); 28 | send("\t- To Path : " + obj.toString()); 29 | } 30 | }); 31 | var hook = ObjC.classes.NSFileManager["- moveItemAtPath:toPath:error:"]; 32 | Interceptor.attach(hook.implementation, { 33 | onEnter: function(args) { 34 | var obj = ObjC.Object(args[2]); 35 | send("[+][NSFileManager] move File at: " + obj.toString()); 36 | 37 | var obj = ObjC.Object(args[3]); 38 | send("\t- To Path : " + obj.toString()); 39 | } 40 | }); 41 | var hook = ObjC.classes.NSFileManager["- fileExistsAtPath:"]; 42 | Interceptor.attach(hook.implementation, { 43 | onEnter: function(args) { 44 | var obj = ObjC.Object(args[2]); 45 | send("[+][NSFileManager] File Exists at Path: " + obj.toString()); 46 | } 47 | }); 48 | var hook = ObjC.classes.NSFileManager["- isReadableFileAtPath:"]; 49 | Interceptor.attach(hook.implementation, { 50 | onEnter: function(args) { 51 | var obj = ObjC.Object(args[2]); 52 | send("[+][NSFileManager] File Path: " + obj.toString()); 53 | }, 54 | onExit: function(retval) { 55 | send("- isReadable? " + retval.toString()); 56 | } 57 | }); 58 | var hook = ObjC.classes.NSFileManager["- isWritableFileAtPath:"]; 59 | Interceptor.attach(hook.implementation, { 60 | onEnter: function(args) { 61 | var obj = ObjC.Object(args[2]); 62 | send("[+][NSFileManager] File Path: " + obj.toString()); 63 | }, 64 | onExit: function(retval) { 65 | send("- isWritable? " + retval.toString()); 66 | } 67 | }); 68 | var hook = ObjC.classes.NSFileManager["- isExecutableFileAtPath:"]; 69 | Interceptor.attach(hook.implementation, { 70 | onEnter: function(args) { 71 | var obj = ObjC.Object(args[2]); 72 | send("[+][NSFileManager] File Path: " + obj.toString()); 73 | }, 74 | onExit: function(retval) { 75 | send("- isExecutable? " + retval.toString()); 76 | } 77 | }); 78 | var hook = ObjC.classes.NSFileManager["- isDeletableFileAtPath:"]; 79 | Interceptor.attach(hook.implementation, { 80 | onEnter: function(args) { 81 | var obj = ObjC.Object(args[2]); 82 | send("[+][NSFileManager] File Path: " + obj.toString()); 83 | }, 84 | onExit: function(retval) { 85 | send("- isDeletable? " + retval.toString()); 86 | } 87 | }); 88 | } 89 | } 90 | } 91 | } else { 92 | console.log("Objective-C Runtime is not available!"); 93 | } 94 | -------------------------------------------------------------------------------- /frida-scripts-master/filesystem/NSString.js: -------------------------------------------------------------------------------- 1 | if(ObjC.available) { 2 | for(var className in ObjC.classes) { 3 | if (ObjC.classes.hasOwnProperty(className)) { 4 | if(className == "NSString") { 5 | send("Found target class : " + className); 6 | 7 | var hook = ObjC.classes.NSString["- "]; 8 | Interceptor.attach(hook.implementation, { 9 | onEnter: function(args) { 10 | var obj = ObjC.Object(args[2]); 11 | send("[+][NSFileManager] create File at: " + obj.toString()); 12 | 13 | var obj = ObjC.Object(args[3]); 14 | var string = ObjC.classes.NSString.alloc(); 15 | send("\t- Content : " + string.initWithData_encoding_(obj,4)); 16 | 17 | var obj = ObjC.Object(args[4]); 18 | send("\t- Attributes : " + obj.toString()); 19 | } 20 | }); 21 | } 22 | } 23 | } 24 | } else { 25 | console.log("Objective-C Runtime is not available!"); 26 | } 27 | -------------------------------------------------------------------------------- /frida-scripts-master/filesystem/NSUserDefaults.js: -------------------------------------------------------------------------------- 1 | var className = "NSUserDefaults"; 2 | var hookMethods = ["- setObject:forKey:", "- setURL:forKey:", "- setInteger:forKey:", "- setFloat:forKey:", "- setDouble:forKey:"]; 3 | 4 | if(ObjC.available) { 5 | for(var c in ObjC.classes) { 6 | if (ObjC.classes.hasOwnProperty(c)) { 7 | if (c == className) { 8 | send("Found target class : " + className); 9 | 10 | var methods = ObjC.classes.NSUserDefaults.$methods; 11 | hookMethods.forEach(function(m) { 12 | var hook = ObjC.classes.NSUserDefaults[m]; 13 | Interceptor.attach(hook.implementation, { 14 | onEnter: function(args) { 15 | send("[+][" + className + "][" + m + "]"); 16 | 17 | var obj = ObjC.Object(args[3]); 18 | send("\t- Default Name: " + obj.toString()); 19 | 20 | var obj = ObjC.Object(args[2]); 21 | send("\t- Value: " + obj.toString()); 22 | } 23 | }); 24 | }); 25 | } 26 | } 27 | } 28 | } else { 29 | console.log("Objective-C Runtime is not available!"); 30 | } 31 | -------------------------------------------------------------------------------- /frida-scripts-master/jailbreak_detection/jb_fileExistAtPath.js: -------------------------------------------------------------------------------- 1 | var jailbreakPaths = [ 2 | "/etc/apt", 3 | "/Library/MobileSubstrate/MobileSubstrate.dylib", 4 | "/Applications/Cydia.app", 5 | "/Applications/blackra1n.app", 6 | "/Applications/FakeCarrier.app", 7 | "/Applications/Icy.app", 8 | "/Applications/IntelliScreen.app", 9 | "/Applications/MxTube.app", 10 | "/Applications/RockApp.app", 11 | "/Applications/SBSetttings.app", 12 | "/Applications/WinterBoard.app", 13 | "/usr/sbin/sshd", 14 | "/private/var/tmp/cydia.log", 15 | "/usr/binsshd", 16 | "/usr/libexec/sftp-server", 17 | "/Systetem/Library/LaunchDaemons/com.ikey.bbot.plist", 18 | "/System/Library/LaunchDaemons/com.saurik.Cy@dia.Startup.plist", 19 | "/Library/MobileSubstrate/MobileSubstrate.dylib", 20 | "/var/log/syslog", 21 | "/bin/bash", 22 | "/bin/sh", 23 | "/etc/ssh/sshd_config", 24 | "/usr/libexec/ssh-keysign" 25 | ]; 26 | 27 | if(ObjC.available) { 28 | send("Jailbreak Detection enabled"); 29 | for(var className in ObjC.classes) { 30 | if (ObjC.classes.hasOwnProperty(className)) { 31 | //Jailbreak detection via accessing special files 32 | if(className == "NSFileManager") { 33 | send("Found our target class : " + className); 34 | 35 | var hook = ObjC.classes.NSFileManager["- fileExistsAtPath:"]; 36 | Interceptor.attach(hook.implementation, { 37 | onEnter: function (args) { 38 | var path = ObjC.Object(args[2]).toString(); // NSString 39 | 40 | this.jailbreakCall = false; 41 | var i = jailbreakPaths.length; 42 | while (i--) { 43 | if (jailbreakPaths[i] == path) { 44 | send("Jailbreak detection => Trying to read path: "+path); 45 | this.jailbreakCall = true; 46 | } 47 | } 48 | }, 49 | onLeave: function (retval) { 50 | if(this.jailbreakCall) { 51 | retval.replace(0x00); 52 | send("Jailbreak detection bypassed!"); 53 | } 54 | } 55 | }); 56 | } 57 | //Jailbreak detection via writing to forbidden paths 58 | if(className == "NSString") { 59 | send("Found our target class : " + className); 60 | 61 | var hook = ObjC.classes.NSString["- writeToFile:atomically:encoding:error:"]; 62 | Interceptor.attach(hook.implementation, { 63 | onEnter: function (args) { 64 | var path = ObjC.Object(args[2]).toString(); // NSString 65 | //send("Path : " + path); 66 | 67 | if (path.indexOf("private") >= 0) { 68 | send("Jailbreak detection => Trying to write path: "+path); 69 | this.jailbreakCall = true; 70 | this.error = args[5]; 71 | } 72 | }, 73 | onLeave: function (retval) { 74 | if(this.jailbreakCall) { 75 | var error = ObjC.classes.NSError.alloc(); 76 | Memory.writePointer(this.error, error); 77 | send("Jailbreak detection bypassed!"); 78 | } 79 | } 80 | }); 81 | } 82 | //Jailbreak detection via cydia URL Schema 83 | if(className == "UIApplication") { 84 | send("Found our target class : " + className); 85 | 86 | var hook = ObjC.classes.UIApplication["- canOpenURL:"]; 87 | Interceptor.attach(hook.implementation, { 88 | onEnter: function (args) { 89 | var url = ObjC.Object(args[2]).toString(); // NSString 90 | send("URL : " + url); 91 | 92 | if (url.indexOf("cydia") >= 0) { 93 | send("Jailbreak detection => Trying to use Cydia URL Schema: "+url); 94 | this.jailbreakCall = true; 95 | } 96 | }, 97 | onLeave: function (retval) { 98 | if(this.jailbreakCall) { 99 | retval.replace(0x00); 100 | send("Jailbreak detection bypassed!"); 101 | } 102 | } 103 | }); 104 | } 105 | } 106 | } 107 | } else { 108 | console.log("Objective-C Runtime is not available!"); 109 | } 110 | -------------------------------------------------------------------------------- /frida-scripts-master/keychain/SecItem_monitor.js: -------------------------------------------------------------------------------- 1 | var className = "Security"; 2 | var hookMethods = ["SecItemAdd", "SecItemUpdate", "SecItemDelete"]; 3 | 4 | for (index = 0; index < hookMethods.length; index++) { 5 | var methodName = hookMethods[index]; 6 | var ptr = null; 7 | Module.enumerateExports(className, { 8 | onMatch: function(imp) { 9 | if (imp.type == "function" && imp.name == methodName) { 10 | send("Found target method : " + methodName); 11 | 12 | try { 13 | Interceptor.attach(ptr(imp.address), { 14 | onEnter: function(args) { 15 | send("[+] Keychain operation: " + imp.name); 16 | var params = ObjC.Object(args[0]); // CFDictionaryRef => NSDictionary 17 | var keys = params.allKeys(); 18 | for (index = 0; index < keys.count(); index++) { 19 | var k = keys.objectAtIndex_(index); 20 | var v = params.objectForKey_(k); 21 | if (k == "v_Data") { 22 | var string = ObjC.classes.NSString.alloc(); 23 | v = string.initWithData_encoding_(v,4).toString(); 24 | } 25 | if (k == "pdmn") { 26 | if (v == "ak") { 27 | v = "kSecAttrAccessibleWhenUnlocked"; 28 | } else if (v == "ck") { 29 | v = "kSecAttrAccessibleAfterFirstUnlock"; 30 | } else if (v == "dk") { 31 | v = "kSecAttrAccessibleAlways"; 32 | } else if (v == "aku") { 33 | v = "kSecAttrAccessibleWhenUnlockedThisDeviceOnly" 34 | } else if (v == "cku") { 35 | v = "kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly"; 36 | } else { 37 | // v == dku 38 | v = "kSecAttrAccessibleAlwaysThisDeviceOnly"; 39 | } 40 | } 41 | send("\t- " + k + "=" + v); 42 | } 43 | } 44 | }); 45 | } catch (error) { 46 | console.log("Ignoring " + imp.name + ": " + error.message); 47 | } 48 | } 49 | }, 50 | onComplete: function (e) { 51 | send("All methods loaded"); 52 | } 53 | }); 54 | } 55 | -------------------------------------------------------------------------------- /frida-scripts-master/misc/alert.js: -------------------------------------------------------------------------------- 1 | var UIAlertController = ObjC.classes.UIAlertController; 2 | var UIAlertAction = ObjC.classes.UIAlertAction; 3 | var UIApplication = ObjC.classes.UIApplication; 4 | var handler = new ObjC.Block({ retType: 'void', argTypes: ['object'], implementation: function () {} }); 5 | 6 | ObjC.schedule(ObjC.mainQueue, function () { 7 | var alert = UIAlertController.alertControllerWithTitle_message_preferredStyle_('From r2frida', 'Welcome to r2land folks!', 1); 8 | var defaultAction = UIAlertAction.actionWithTitle_style_handler_('OK', 0, handler); 9 | alert.addAction_(defaultAction); 10 | UIApplication.sharedApplication().keyWindow().rootViewController().presentViewController_animated_completion_(alert, true, NULL); 11 | }) 12 | -------------------------------------------------------------------------------- /frida-scripts-master/network/NSURLRequest.js: -------------------------------------------------------------------------------- 1 | if(ObjC.available) { 2 | for(var className in ObjC.classes) { 3 | if (ObjC.classes.hasOwnProperty(className)) { 4 | //Connection 5 | if(className == "NSURLConnection") { 6 | send("Found target class : " + className); 7 | var hook = ObjC.classes.NSURLConnection["- start"]; 8 | Interceptor.attach(hook.implementation, { 9 | onEnter: function(args) { 10 | send("HTTP Request sent! [NSURLConnection start]"); 11 | } 12 | }); 13 | var hook = ObjC.classes.NSURLConnection["- initWithRequest:delegate:startImmediately:"]; 14 | Interceptor.attach(hook.implementation, { 15 | onEnter: function(args) { 16 | send("HTTP Request sent! [NSURLConnection initWithRequest:startImmediately] (Deprecated at iOS 9.0)"); 17 | } 18 | }); 19 | var hook = ObjC.classes.NSURLConnection["- initWithRequest:delegate:"]; 20 | Interceptor.attach(hook.implementation, { 21 | onEnter: function(args) { 22 | send("HTTP Request sent! [NSURLConnection initWithRequest] (Deprecated at iOS 9.0)"); 23 | } 24 | }); 25 | var hook = ObjC.classes.NSURLConnection["+ connectionWithRequest:delegate:"]; 26 | Interceptor.attach(hook.implementation, { 27 | onEnter: function(args) { 28 | send("HTTP Request sent! [NSURLConnection connectionWithRequest] (Deprecated at iOS 9.0)"); 29 | } 30 | }); 31 | var hook = ObjC.classes.NSURLConnection["+ sendSynchronousRequest:returningResponse:error:"]; 32 | Interceptor.attach(hook.implementation, { 33 | onEnter: function(args) { 34 | send("HTTP Request sent! [NSURLConnection sendSynchronousRequest] (Deprecated at iOS 9.0)"); 35 | } 36 | }); 37 | var hook = ObjC.classes.NSURLConnection["+ sendAsynchronousRequest:queue:completionHandler:"]; 38 | Interceptor.attach(hook.implementation, { 39 | onEnter: function(args) { 40 | send("HTTP Request sent! [NSURLConnection sendAsynchronousRequest] (Deprecated at iOS 9.0)"); 41 | } 42 | }); 43 | 44 | } 45 | //Getting URL GET Requests 46 | if(className == "NSURLRequest") { 47 | send("Found our target class : " + className); 48 | var hook = ObjC.classes.NSURLRequest["+ requestWithURL:"]; 49 | Interceptor.attach(hook.implementation, { 50 | onEnter: function(args) { 51 | var receiver = new ObjC.Object(args[0]); 52 | var sel = ObjC.selectorAsString(args[1]); 53 | var obj = ObjC.Object(args[2]); 54 | send("HTTP Request [ "+receiver+" "+sel+" ] => NSURL: " + obj.toString()); 55 | } 56 | }); 57 | } 58 | //Getting URL POST Requests 59 | if(className == "NSMutableURLRequest") { 60 | send("Found our target class : " + className); 61 | //Getting URL 62 | var hook = ObjC.classes.NSMutableURLRequest["+ requestWithURL:"]; 63 | Interceptor.attach(hook.implementation, { 64 | onEnter: function(args) { 65 | var receiver = new ObjC.Object(args[0]); 66 | var sel = ObjC.selectorAsString(args[1]); 67 | var obj = ObjC.Object(args[2]); 68 | send("HTTP Request [ "+receiver+" "+sel+" ] => NSURL: " + obj.toString()); 69 | } 70 | }); 71 | //Getting POST Data 72 | var hook = ObjC.classes.NSMutableURLRequest["- setHTTPBody:"]; 73 | Interceptor.attach(hook.implementation, { 74 | onEnter: function(args) { 75 | var receiver = new ObjC.Object(args[0]); 76 | var sel = ObjC.selectorAsString(args[1]); 77 | var data = ObjC.Object(args[2]); 78 | var string = ObjC.classes.NSString.alloc(); 79 | send(" HTTP Request via [ "+receiver+" "+sel+" ] => DATA: " + string.initWithData_encoding_(data,4)); 80 | } 81 | }); 82 | var hook = ObjC.classes.NSMutableURLRequest["- setHTTPBodyStream:"]; 83 | Interceptor.attach(hook.implementation, { 84 | onEnter: function(args) { 85 | var receiver = new ObjC.Object(args[0]); 86 | var sel = ObjC.selectorAsString(args[1]); 87 | var data = ObjC.Object(args[2]); 88 | var string = ObjC.classes.NSString.alloc(); 89 | send(" HTTP Request via [ "+receiver+" " +sel+" ] => DATA: " + string.initWithData_encoding_(data,4)); 90 | } 91 | }); 92 | } 93 | 94 | } 95 | } 96 | } else { 97 | console.log("Objective-C Runtime is not available!"); 98 | } 99 | -------------------------------------------------------------------------------- /frida-scripts-master/pinning/SSLHandshake.js: -------------------------------------------------------------------------------- 1 | if (ObjC.available) { 2 | var className = "Security"; 3 | var ptr = null; 4 | 5 | Module.enumerateExports(className, { 6 | onMatch: function(imp) { 7 | if (imp.type == "function" && imp.name == "SSLHandshake") { 8 | try { 9 | Interceptor.attach(ptr(imp.address), { 10 | onEnter: function(args) { 11 | send ("Hooked SSLHandshake"); 12 | this.sslContext = args[0]; 13 | }, 14 | onLeave: function(retval) { 15 | //errSSLServerAuthCompleted == -9841 16 | send("[DEBUG] Return value: "+retval); 17 | if(retval == 0xffffd98f) { 18 | send("Return value == errSSLServerAuthCompleted"); 19 | var func_ptr = Module.findExportByName('Security', 'SSLHandshake'); 20 | var my_function = new NativeFunction(ptr(func_ptr), 'int', ['pointer']); 21 | //OSStatus SSLHandshake (SSLContextRef context) 22 | send("Calling SSLHandshake again"); 23 | retval.replace(0x00); 24 | my_function(this.sslContext); 25 | } 26 | } 27 | }); 28 | } catch (error) { 29 | console.log("Ignoring " + imp.name + ": " + error.message); 30 | } 31 | } 32 | 33 | if (imp.type == "function" && imp.name == "SSLSetSessionOption") { 34 | try { 35 | Interceptor.attach(ptr(imp.address), { 36 | onEnter: function(args) { 37 | send ("Hooking SSLSetSessionOption"); 38 | //SSLSetSessionOption (SSLContextRef context, SSLSessionOption option, Boolean value) { 39 | //kSSLSessionOptionBreakOnServerAuth = 0 40 | if (args[1] == 0) { 41 | this.hooked = true; 42 | } 43 | }, 44 | onLeave: function(retval) { 45 | if(this.hooked) { 46 | send("Modifying return value to noErr"); 47 | retval.replace(0); 48 | } 49 | } 50 | }); 51 | } catch (error) { 52 | console.log("Ignoring " + imp.name + ": " + error.message); 53 | } 54 | } 55 | 56 | if (imp.type == "function" && imp.name == "SSLCreateContext"){ 57 | try { 58 | Interceptor.attach(ptr(imp.address), { 59 | onEnter: function(args) { 60 | send ("Hooking SSLCreateContext"); 61 | //SSLCreateContext (CFAllocatorRef alloc,SSLProtocolSide protocolSide,SSLConnectionType connectionType); 62 | }, 63 | onLeave: function(retval) { 64 | var sslContext = retval; 65 | var func_ptr = Module.findExportByName('Security', 'SSLSetSessionOption'); 66 | var my_function = new NativeFunction(ptr(func_ptr), 'pointer', ['pointer', 'int', 'int']); 67 | //kSSLSessionOptionBreakOnServerAuth = 0 68 | //SSLSetSessionOption(sslContext, kSSLSessionOptionBreakOnServerAuth, true); 69 | send("Calling function SSLSetSessionOption(sslContext,kSSLSessionOptionBreakOnServerAuth,true"); 70 | my_function(sslContext, 0 , 1); 71 | } 72 | }); 73 | } catch (error) { 74 | console.log("Ignoring " + imp.name + ": " + error.message); 75 | } 76 | } 77 | }, 78 | onComplete: function (e) { 79 | send("Certificate Pinning Hooked"); 80 | } 81 | }); 82 | } 83 | -------------------------------------------------------------------------------- /frida-scripts-master/pinning/afn_pinnning.js: -------------------------------------------------------------------------------- 1 | 'use strict'; 2 | 3 | async function disablePinning (args) { 4 | disableValidatesDomainName(); 5 | setAllowInvalidCertificates(); 6 | pinnedCertificatesToNull(); 7 | setPolicyWithPinningModeToNone(); 8 | setSSLPinningModeNull(); 9 | 10 | // One-Shot Hook 11 | //disableEvaluateServerTrust(); 12 | } 13 | 14 | function disableEvaluateServerTrust () { 15 | var resolver = new ApiResolver('objc'); 16 | var matches = resolver.enumerateMatchesSync("-[AFSecurityPolicy evaluateServerTrust:forDomain:]"); 17 | if (matches.lenght == 0) { 18 | return; 19 | } 20 | Interceptor.attach( 21 | ptr(matches[0]["address"]), 22 | { 23 | onLeave: function(retval) { 24 | console.log("[*] -[AFSecurityPolicy evaluateServerTrust:forDomain:] hits!"); 25 | retval.replace(ptr(0x01)); 26 | } 27 | } 28 | ); 29 | } 30 | 31 | function pinnedCertificatesToNull () { 32 | var AFSecurityPolicy = ObjC.classes["AFSecurityPolicy"]; 33 | Interceptor.attach( 34 | AFSecurityPolicy["- setPinnedCertificates:"].implementation, { 35 | onEnter(args) { 36 | if (!args[2].isNull()) { 37 | console.log("Replacing AFSecurityPolicy setPinnedCertificates: = nil "); 38 | args[2] = new NativePointer(0x0); //AFSSLPinningModeNone 39 | } 40 | } 41 | } 42 | ); 43 | } 44 | 45 | // -[AFSecurityPolicy setValidatesDomainName:] 46 | function disableValidatesDomainName (){ 47 | var AFSecurityPolicy = ObjC.classes["AFSecurityPolicy"]; 48 | Interceptor.attach( 49 | AFSecurityPolicy["- setValidatesDomainName:"].implementation, { 50 | onEnter(args) { 51 | if (!args[2].isNull()) { 52 | console.log("Replacing AFSecurityPolicy - setValidatesDomainName: = NO "); 53 | args[2] = new NativePointer(0x0); 54 | } 55 | } 56 | } 57 | ); 58 | } 59 | 60 | // -[AFSecurityPolicy setSSLPinningMode:] 61 | function setSSLPinningModeNull () { 62 | var AFSecurityPolicy = ObjC.classes["AFSecurityPolicy"]; 63 | Interceptor.attach( 64 | AFSecurityPolicy["- setSSLPinningMode:"].implementation, { 65 | onEnter(args) { 66 | if (!args[2].isNull()) { 67 | console.log("Replacing AFSecurityPolicy setSSLPinningMode = AFSSLPinningModeNone "); 68 | args[2] = new NativePointer(0x0); //AFSSLPinningModeNone 69 | } 70 | } 71 | } 72 | ); 73 | } 74 | 75 | // -[AFSecurityPolicy setAllowInvalidCertificates:] 76 | function setAllowInvalidCertificates () { 77 | var AFSecurityPolicy = ObjC.classes["AFSecurityPolicy"]; 78 | Interceptor.attach( 79 | AFSecurityPolicy["- setAllowInvalidCertificates:"].implementation, { 80 | onEnter(args) { 81 | // setAllowInvalidCertificates == NO 82 | if (args[2].equals(new NativePointer(0x0))) { 83 | console.log("Replacing AFSecurityPolicy setAllowInvalidCertificates = YES "); 84 | args[2] = new NativePointer(0x1); 85 | } 86 | } 87 | } 88 | ); 89 | } 90 | 91 | // +[AFSecurityPolicy policyWithPinningMode:] 92 | // +[AFSecurityPolicy policyWithPinningMode:withPinnedCertificates:] 93 | function setPolicyWithPinningModeToNone () { 94 | var AFSecurityPolicy = ObjC.classes["AFSecurityPolicy"]; 95 | Interceptor.attach( 96 | AFSecurityPolicy["+ policyWithPinningMode:"].implementation, { 97 | onEnter(args) { 98 | if (!args[2].isNull()) { 99 | console.log("Replacing AFSecurityPolicy policyWithPinningMode = AFSSLPinningModeNone "); 100 | args[2] = new NativePointer(0x0); 101 | } 102 | } 103 | } 104 | ); 105 | if (AFSecurityPolicy["+ policyWithPinningMode:withPinnedCertificates:"]) { 106 | Interceptor.attach( 107 | AFSecurityPolicy["+ policyWithPinningMode:withPinnedCertificates:"].implementation, { 108 | onEnter(args) { 109 | if (!args[2].isNull()) { 110 | console.log("Replacing AFSecurityPolicy policyWithPinningMode:withPinnedCertificates: = AFSSLPinningModeNone "); 111 | args[2] = new NativePointer(0x0); 112 | } 113 | } 114 | } 115 | ); 116 | } 117 | } 118 | 119 | disablePinning(); -------------------------------------------------------------------------------- /frida-scripts-master/pinning/boringssl_pinning.js: -------------------------------------------------------------------------------- 1 | /* Description: iOS 13 SSL Bypass based on https://codeshare.frida.re/@federicodotta/ios13-pinning-bypass/ 2 | and https://medium.com/@macho_reverser/bypassing-certificate-pinning-on-ios-12-with-frida-809acdb875e7 3 | */ 4 | 5 | const commands = { 6 | 'disable_ssl_pinning':disablePinning 7 | }; 8 | 9 | r2frida.pluginRegister('sslpinning', function (name) { 10 | return commands[name]; 11 | }); 12 | 13 | async function disablePinning (args) { 14 | try { 15 | Module.ensureInitialized("libboringssl.dylib"); 16 | } catch(err) { 17 | console.log("libboringssl.dylib module not loaded. Trying to manually load it.") 18 | Module.load("libboringssl.dylib"); 19 | } 20 | 21 | var SSL_VERIFY_NONE = 0; 22 | var ssl_set_custom_verify; 23 | var ssl_get_psk_identity; 24 | 25 | ssl_set_custom_verify = new NativeFunction( 26 | Module.findExportByName("libboringssl.dylib", "SSL_set_custom_verify"), 27 | 'void', ['pointer', 'int', 'pointer'] 28 | ); 29 | 30 | ssl_get_psk_identity = new NativeFunction( 31 | Module.findExportByName("libboringssl.dylib", "SSL_get_psk_identity"), 32 | 'pointer', ['pointer'] 33 | ); 34 | 35 | function custom_verify_callback_that_does_not_validate(ssl, out_alert){ 36 | return SSL_VERIFY_NONE; 37 | } 38 | 39 | var ssl_verify_result_t = new NativeCallback(function (ssl, out_alert){ 40 | custom_verify_callback_that_does_not_validate(ssl, out_alert); 41 | },'int',['pointer','pointer']); 42 | 43 | Interceptor.replace(ssl_set_custom_verify, new NativeCallback(function(ssl, mode, callback) { 44 | ssl_set_custom_verify(ssl, mode, ssl_verify_result_t); 45 | }, 'void', ['pointer', 'int', 'pointer'])); 46 | 47 | Interceptor.replace(ssl_get_psk_identity, new NativeCallback(function(ssl) { 48 | return "notarealPSKidentity"; 49 | }, 'pointer', ['pointer'])); 50 | } -------------------------------------------------------------------------------- /frida-scripts-master/pinning/disable_sectrustEvaluate.js: -------------------------------------------------------------------------------- 1 | function disable_SecTrustEvaluate() { 2 | // Get SecTrustEvaluate address 3 | var SecTrustEvaluate_prt = Module.findExportByName("Security", "SecTrustEvaluate"); 4 | if (SecTrustEvaluate_prt == null) { 5 | console.log("[!] Security!SecTrustEvaluate(...) not found!"); 6 | return; 7 | } 8 | 9 | // Create native function wrappers for SecTrustEvaluate 10 | var SecTrustEvaluate = new NativeFunction(SecTrustEvaluate_prt, "int", ["pointer", "pointer"]); 11 | 12 | // Hook SecTrustEvaluate 13 | Interceptor.replace(SecTrustEvaluate_prt, new NativeCallback(function(trust, result) { 14 | // Show "hit!" message if we are in debugging mode 15 | console.log("[*] SecTrustEvaluate(...) hit!"); 16 | // Call original function 17 | var osstatus = SecTrustEvaluate(trust, result); 18 | // Change the result to kSecTrustResultProceed 19 | Memory.writeU8(result, 1); 20 | // Return errSecSuccess 21 | return 0; 22 | }, "int", ["pointer", "pointer"])); 23 | // It's done! 24 | console.log("[*] SecTrustEvaluate(...) hooked. SSL should be pinning disabled."); 25 | } 26 | 27 | // Run the script 28 | disable_SecTrustEvaluate(); 29 | -------------------------------------------------------------------------------- /frida-scripts-master/pinning/nsurl_pinning.js: -------------------------------------------------------------------------------- 1 | 'use strict'; 2 | 3 | async function disablePinning (args) { 4 | const NSURLCredential = ObjC.classes.NSURLCredential; 5 | const resolver = new ApiResolver("objc"); 6 | resolver.enumerateMatches( "-[* URLSession:didReceiveChallenge:completionHandler:]", { 7 | onMatch: function (i) { 8 | console.log('Found NSURLSession based classes.'); 9 | 10 | Interceptor.attach(i.address, { 11 | onEnter(args) { 12 | const receiver = new ObjC.Object(args[0]); 13 | const selector = ObjC.selectorAsString(args[1]); 14 | 15 | console.log(`-[${receiver} ${selector}] Hooked`); 16 | const challenge = new ObjC.Object(args[3]); 17 | 18 | const completionHandler = new ObjC.Block(args[4]); 19 | const savedCompletionHandler = completionHandler.implementation; 20 | const NSURLSessionAuthChallengeUseCredential = 0 21 | 22 | completionHandler.implementation = function() {  23 | console.log("Modified completionHandler called."); 24 | const credential = NSURLCredential.credentialForTrust_(challenge.protectionSpace().serverTrust()); 25 | challenge.sender().useCredential_forAuthenticationChallenge_(credential, challenge); 26 | 27 | savedCompletionHandler(NSURLSessionAuthChallengeUseCredential, credential); 28 | }; 29 | }}); 30 | }, 31 | onComplete: function () { 32 | } 33 | }); 34 | } 35 | 36 | disablePinning(); 37 | -------------------------------------------------------------------------------- /frida-scripts-master/pinning/ssl_pinning.js: -------------------------------------------------------------------------------- 1 | var errSSLServerAuthCompleted = -9481; 2 | var kSSLSessionOptionBreakOnServerAuth = 0; 3 | var noErr = 0; 4 | var SSLHandshake = new NativeFunction( 5 | Module.findExportByName("Security", "SSLHandshake"), 6 | 'int', 7 | ['pointer'] 8 | ); 9 | Interceptor.replace(SSLHandshake, new NativeCallback(function (context) { 10 | var result = SSLHandshake(context); 11 | if (result == errSSLServerAuthCompleted) { 12 | send("Replacing SSLHandshake"); 13 | return SSLHandshake(context); 14 | } 15 | return result; 16 | }, 'int', ['pointer'])); 17 | var SSLCreateContext = new NativeFunction( 18 | Module.findExportByName("Security", "SSLCreateContext"), 19 | 'pointer', 20 | ['pointer', 'int', 'int'] 21 | ); 22 | Interceptor.replace(SSLCreateContext, new NativeCallback(function (alloc, protocolSide, connectionType) { 23 | send("Replacing SSLCreateContext"); 24 | var sslContext = SSLCreateContext(alloc, protocolSide, connectionType); 25 | SSLSetSessionOption(sslContext, kSSLSessionOptionBreakOnServerAuth, 1); 26 | return sslContext; 27 | }, 'pointer', ['pointer', 'int', 'int'])); 28 | var SSLSetSessionOption = new NativeFunction( 29 | Module.findExportByName("Security", "SSLSetSessionOption"), 30 | 'int', 31 | ['pointer', 'int', 'bool'] 32 | ); 33 | Interceptor.replace(SSLSetSessionOption, new NativeCallback(function (context, option, value) { 34 | if (option == kSSLSessionOptionBreakOnServerAuth) { 35 | send("Replacing SSLSetSessionOption"); 36 | return noErr; 37 | } 38 | return SSLSetSessionOption(context, option, value); 39 | }, 'int', ['pointer', 'int', 'bool'])); 40 | -------------------------------------------------------------------------------- /frida-scripts-master/pinning/tls_12_pinning.js: -------------------------------------------------------------------------------- 1 | /* Description: iOS 12 SSL Bypass based on blog post https://nabla-c0d3.github.io/blog/2019/05/18/ssl-kill-switch-for-ios12/ 2 | * Author: @macho_reverser 3 | */ 4 | try { 5 | Module.load('/usr/lib/libboringssl.dylib'); 6 | } catch (e) { 7 | 8 | } 9 | // Variables 10 | var SSL_VERIFY_NONE = 0; 11 | var ssl_ctx_set_custom_verify; 12 | var ssl_get_psk_identity; 13 | 14 | /* Create SSL_CTX_set_custom_verify NativeFunction 15 | * Function signature https://github.com/google/boringssl/blob/7540cc2ec0a5c29306ed852483f833c61eddf133/include/openssl/ssl.h#L2294 16 | */ 17 | ssl_ctx_set_custom_verify = new NativeFunction( 18 | Module.findExportByName("libboringssl.dylib", "SSL_CTX_set_custom_verify"), 19 | 'void', ['pointer', 'int', 'pointer'] 20 | ); 21 | 22 | /* Create SSL_get_psk_identity NativeFunction 23 | * Function signature https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_get_psk_identity 24 | */ 25 | ssl_get_psk_identity = new NativeFunction( 26 | Module.findExportByName("libboringssl.dylib", "SSL_get_psk_identity"), 27 | 'pointer', ['pointer'] 28 | ); 29 | 30 | /** Custom callback passed to SSL_CTX_set_custom_verify */ 31 | function custom_verify_callback_that_does_not_validate(ssl, out_alert) { 32 | return SSL_VERIFY_NONE; 33 | } 34 | 35 | /** Wrap callback in NativeCallback for frida */ 36 | var ssl_verify_result_t = new NativeCallback(function(ssl, out_alert) { 37 | custom_verify_callback_that_does_not_validate(ssl, out_alert); 38 | }, 'int', ['pointer', 'pointer']); 39 | 40 | /* Do the actual bypass */ 41 | function bypassSSL() { 42 | console.log("[+] Bypass successfully loaded "); 43 | 44 | Interceptor.replace(ssl_ctx_set_custom_verify, new NativeCallback(function(ssl, mode, callback) { 45 | // |callback| performs the certificate verification. Replace this with our custom callback 46 | ssl_ctx_set_custom_verify(ssl, mode, ssl_verify_result_t); 47 | }, 'void', ['pointer', 'int', 'pointer'])); 48 | 49 | Interceptor.replace(ssl_get_psk_identity, new NativeCallback(function(ssl) { 50 | return "notarealPSKidentity"; 51 | }, 'pointer', ['pointer'])); 52 | 53 | } 54 | 55 | bypassSSL(); 56 | -------------------------------------------------------------------------------- /frida-scripts-master/pinning/tls_pinning.js: -------------------------------------------------------------------------------- 1 | var tls_helper_create_peer_trust; 2 | var nw_tls_create_peer_trust; 3 | var version = ObjC.classes.UIDevice.currentDevice().systemVersion().toString(); 4 | 5 | /* OSStatus nw_tls_create_peer_trust(tls_handshake_t hdsk, bool server, SecTrustRef *trustRef); */ 6 | nw_tls_create_peer_trust = new NativeFunction( 7 | Module.findExportByName(null, "nw_tls_create_peer_trust"), 8 | 'int', ['pointer', 'bool', 'pointer'] 9 | ); 10 | /* OSStatus tls_helper_create_peer_trust(tls_handshake_t hdsk, bool server, SecTrustRef *trustRef); */ 11 | tls_helper_create_peer_trust = new NativeFunction( 12 | Module.findExportByName(null, "tls_helper_create_peer_trust"), 13 | 'int', ['pointer', 'bool', 'pointer'] 14 | ); 15 | 16 | var errSecSuccess = 0; 17 | 18 | Interceptor.replace(nw_tls_create_peer_trust, new NativeCallback(function(hdsk, server, trustRef) { 19 | return errSecSuccess; 20 | }, 'int', ['pointer', 'bool', 'pointer'])); 21 | 22 | Interceptor.replace(tls_helper_create_peer_trust, new NativeCallback(function(hdsk, server, trustRef) { 23 | return errSecSuccess; 24 | }, 'int', ['pointer', 'bool', 'pointer'])); 25 | console.log("TLS certificate validation bypass active"); 26 | -------------------------------------------------------------------------------- /frida-scripts-master/pinning/universal_pinning.js: -------------------------------------------------------------------------------- 1 | // Collected certificates 2 | var collectedCertificates = []; 3 | 4 | // CC_SHA256() 5 | var CC_SHA256 = new NativeFunction( 6 | Module.getExportByName('Security', 'CC_SHA256'), 'uint64', ['pointer', 'uint64', 'pointer'] 7 | ); 8 | 9 | // Calculate a SHA256 hash 10 | function calcSHA256(buffer, bufferLength) { 11 | var hash = Memory.alloc(32); 12 | CC_SHA256(buffer, bufferLength, hash); 13 | var hashBytes = hash.readByteArray(32); 14 | return toHexString(hashBytes); 15 | } 16 | 17 | // Convert a byte array buffer to hex string 18 | function toHexString(buffer) { // buffer is an ArrayBuffer 19 | var byteArray = new Uint8Array(buffer); 20 | var s = ''; 21 | for(var i = 0; i < byteArray.length; i++) { 22 | s += ('0' + (byteArray[i] & 0xFF).toString(16)).slice(-2); 23 | } 24 | return s; 25 | } 26 | 27 | // Get SecCertificateCreateWithBytes pointer 28 | var SecCertificateCreateWithBytes_prt = Module.findExportByName("Security", "SecCertificateCreateWithBytes"); 29 | 30 | // SecCertificateCreateWithBytes() 31 | var SecCertificateCreateWithBytes= new NativeFunction( 32 | SecCertificateCreateWithBytes_prt, "pointer", ["pointer", "pointer", "uint64"] 33 | ); 34 | 35 | // Catch the certificates 36 | function catchCertificates() { 37 | // Hook SecCertificateCreateWithBytes() 38 | Interceptor.replace(SecCertificateCreateWithBytes_prt, new NativeCallback(function(something, certAddress, certLength) { 39 | var hash = calcSHA256(certAddress, certLength); 40 | if (collectedCertificates.indexOf(hash) < 0) { 41 | collectedCertificates.push(hash); 42 | send(hash, certAddress.readByteArray(certLength)); 43 | } 44 | return SecCertificateCreateWithBytes(something, certAddress, certLength); 45 | }, "pointer", ["pointer", "pointer", "uint64"])); 46 | send("[*] SecCertificateCreateWithBytes(...) hooked!"); 47 | } 48 | catchCertificates(); 49 | -------------------------------------------------------------------------------- /frida-scripts-master/pinning/xamarin_pinning.js: -------------------------------------------------------------------------------- 1 | var func = DebugSymbol.getFunctionByName("Security_Tls_MobileCertificateHelper_Validate_string_bool_Mono_Security_Interface_ICertificateValidator2_System_Security_Cryptography_X509Certificates_X509CertificateCollection"); 2 | 3 | send ("Attaching to Security_Tls_MobileCertificateHelper_Validate => "+func); 4 | 5 | Interceptor.attach(func, { 6 | onEnter: function (args) { 7 | send("=> Function ChainValidation"); 8 | }, 9 | onLeave: function (retval) { 10 | send ("Retval - Bool: " + retval); 11 | if (retval == 0) { 12 | retval.replace(0x01); 13 | send ("HOOK => Modifying original return value of ChainValidation"); 14 | send ("Retval - Bool: " + retval); 15 | } 16 | } 17 | }); 18 | 19 | 20 | var func3 = DebugSymbol.getFunctionByName("Security_Tls_MobileCertificateHelper_InvokeSystemCertificateValidator_Mono_Security_Interface_ICertificateValidator2_string_bool_System_Security_Cryptography_X509Certificates_X509CertificateCollection_bool__Mono_Security_Interface_MonoSslPolicyErrors__int_"); 21 | 22 | send ("Attaching to Security_Tls_MobileCertificateHelper_InvokeSystemCertificateValidator_Mono_Security_Interface_ICertificateValidator2_string_bool_System_Security_Cryptography_X509Certificates_X509CertificateCollection_bool__Mono_Security_Interface_MonoSslPolicyErrors__int_ => "+func3); 23 | 24 | Interceptor.attach(func3, { 25 | onEnter: function (args) { 26 | this.success = args[4]; 27 | send("=> Function Security_Tls_MobileCertificateHelper_InvokeSystemCertificateValidator_Mono_Security_Interface_ICertificateValidator2_string_bool_System_Security_Cryptography_X509Certificates_X509CertificateCollection_bool__Mono_Security_Interface_MonoSslPolicyErrors__int_"); 28 | send ("validator (Certvalidator)=> "+args[0]); 29 | send ("targetHost (string) => "+args[1]); 30 | send ("serverMode (bool) => "+args[2]); 31 | send ("certificates (x509)=> "+args[3]); 32 | send ("success_out (bool) => "+this.success); 33 | send ("errors (ref SSLPolicy) => "+args[5]); 34 | send ("status (ref int) => "+args[6]); 35 | }, 36 | onLeave: function (retval) { 37 | send ("Retval InvokeSystemCertificateValidator - Bool: " + retval); 38 | var success_orig = Memory.readU8(this.success); 39 | send ("Reading Original Value from success => " + success_orig); 40 | if(success_orig == 0) { 41 | send ("HOOK => Modifying original value of success"); 42 | Memory.writeU8(this.success, 0x01) 43 | send ("Reading Modified Value from success => " + Memory.readU8(this.success)); 44 | } 45 | } 46 | }); 47 | -------------------------------------------------------------------------------- /frida-scripts-master/sqlite/libsqlite3_monitor.js: -------------------------------------------------------------------------------- 1 | var libraries = Process.enumerateModulesSync(); 2 | for(var i in libraries) { 3 | if (libraries[i].name == 'libsqlite3.dylib' ) { 4 | send("Using library : " + libraries[i].name); 5 | var functions = Module.enumerateExportsSync("libsqlite3.dylib"); 6 | for (var j in functions) { 7 | if (functions[j].name == 'sqlite3_open' 8 | || functions[j].name == 'sqlite3_open16' 9 | || functions[j].name == 'sqlite3_open_v2') { 10 | send("Found target method : " + functions[j].name); 11 | Interceptor.attach(functions[j].address, { 12 | OnEnter: function(args) { 13 | send("[+][libsqlite3.dylib] Database open at: " + args[0].toString()); 14 | } 15 | }); 16 | } 17 | if (functions[j].name == 'sqlite3_prepare' 18 | || functions[j].name == 'sqlite3_prepare_v2' 19 | || functions[j].name == 'sqlite3_prepare16_v2' 20 | || functions[j].name == 'sqlite3_prepare16') { 21 | send("Found target method : " + functions[j].name); 22 | Interceptor.attach(functions[j].address, { 23 | OnEnter: function(args) { 24 | send("[+][libsqlite3.dylib] Database SQL At: " + args[0].toString()); 25 | send("\t - SQL: " + args[1].toString()); 26 | } 27 | }); 28 | } 29 | } 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /frida-scripts-master/touch_id/touchid-bypass.js: -------------------------------------------------------------------------------- 1 | if(ObjC.available) { 2 | console.log("Injecting..."); 3 | var hook = ObjC.classes.LAContext["- evaluatePolicy:localizedReason:reply:"]; 4 | Interceptor.attach(hook.implementation, { 5 | onEnter: function(args) { 6 | var block = new ObjC.Block(args[4]); 7 | const callback = block.implementation; 8 | block.implementation = function (error, value) { 9 | 10 | console.log("Changing the result value to true") 11 | const result = callback(1, null); 12 | return result; 13 | }; 14 | }, 15 | }); 16 | } else { 17 | console.log("Objective-C Runtime is not available!"); 18 | } 19 | -------------------------------------------------------------------------------- /frida-scripts/README.md: -------------------------------------------------------------------------------- 1 | # frida-scripts 2 | [![](https://img.shields.io/github/stars/0xdea/frida-scripts.svg?color=yellow)](https://github.com/0xdea/frida-scripts) 3 | [![](https://img.shields.io/github/forks/0xdea/frida-scripts.svg?color=green)](https://github.com/0xdea/frida-scripts) 4 | [![](https://img.shields.io/github/watchers/0xdea/frida-scripts.svg?color=red)](https://github.com/0xdea/frida-scripts) 5 | [![](https://img.shields.io/badge/license-MIT%20License-red.svg?color=lightgray)](https://opensource.org/licenses/MIT) 6 | [![](https://img.shields.io/badge/twitter-%400xdea-blue.svg)](https://twitter.com/0xdea) 7 | 8 | A collection of my Frida.re instrumentation scripts to facilitate reverse engineering of mobile apps. 9 | 10 | Blog post: 11 | https://web.archive.org/web/20200623001844/https://techblog.mediaservice.net/2017/09/tracing-arbitrary-methods-and-function-calls-on-android-and-ios/ 12 | 13 | For a well-maintained project that includes some of my Frida scripts, refer to: 14 | https://github.com/federicodotta/Brida 15 | 16 | ## iOS 17 | * **raptor_frida_ios_trace.js**. Full-featured ObjC and Module tracer for iOS. 18 | * **raptor_frida_ios_enum.js**. Collection of functions to enumerate ObjC classes and methods. 19 | * **ios-snippets/raptor_frida_ios_*.js**. Miscellaneous script snippets for iOS. 20 | 21 | ## Android 22 | * **raptor_frida_android_trace.js**. Full-featured Java and Module tracer for Android. 23 | * **raptor_frida_android_enum.js**. Collection of functions to enumerate Java classes and methods. 24 | * **android-snippets/raptor_frida_android_*.js**. Miscellaneous script snippets for Android. 25 | -------------------------------------------------------------------------------- /frida-scripts/raptor_frida_ios_bypass1.js: -------------------------------------------------------------------------------- 1 | /* 2 | * raptor_frida_ios_*.js - Frida script snippets for iOS 3 | * Copyright (c) 2017 Marco Ivaldi 4 | * 5 | * Frida.re JS script snippets for iOS/ObjC instrumentation. 6 | * See https://www.frida.re/ and https://codeshare.frida.re/ 7 | * for further information on this powerful tool. 8 | * 9 | * "We want to help others achieve interop through reverse 10 | * engineering" -- @oleavr 11 | * 12 | * Many thanks to Maurizio Agazzini 13 | * and Federico Dotta . 14 | * 15 | * Example usage: 16 | * # frida -U -f com.xxx.yyy -l raptor_frida_ios.js --no-pause 17 | */ 18 | 19 | if (ObjC.available) { 20 | 21 | // SSL pinning bypass: change retval, reimplementation technique 22 | 23 | var CertPinning = ObjC.classes.CertPinning; 24 | var getID = CertPinning["- getID:"]; 25 | var getID_oldImpl = getID.implementation; 26 | 27 | getID.implementation = ObjC.implement(getID, function (handle, selector, arg1) { 28 | //return getID_oldImpl(handle, selector, arg1); 29 | console.log("info: entered getID"); 30 | var retnew = ObjC.classes.NSString.stringWithString_("151f09ff42c55a4fcbae2246eb58f1d2f2168c0d"); 31 | return retnew; 32 | }); 33 | 34 | } else { 35 | send("error: Objective-C Runtime is not available!"); 36 | } 37 | -------------------------------------------------------------------------------- /frida-scripts/raptor_frida_ios_bypass2.js: -------------------------------------------------------------------------------- 1 | /* 2 | * raptor_frida_ios_*.js - Frida script snippets for iOS 3 | * Copyright (c) 2017 Marco Ivaldi 4 | * 5 | * Frida.re JS script snippets for iOS/ObjC instrumentation. 6 | * See https://www.frida.re/ and https://codeshare.frida.re/ 7 | * for further information on this powerful tool. 8 | * 9 | * "We want to help others achieve interop through reverse 10 | * engineering" -- @oleavr 11 | * 12 | * Many thanks to Maurizio Agazzini 13 | * and Federico Dotta . 14 | * 15 | * Example usage: 16 | * # frida -U -f com.xxx.yyy -l raptor_frida_ios.js --no-pause 17 | */ 18 | 19 | if (ObjC.available) { 20 | 21 | // Jailbreak detection bypass: change retval, onLeave technique 22 | 23 | var hook = ObjC.classes.JailbreakChecks["- isJailbroken"]; 24 | 25 | Interceptor.attach(hook.implementation, { 26 | 27 | onLeave: function(retval) { 28 | console.log("info: exiting isJailbroken"); 29 | 30 | // read retval 31 | var obj = ObjC.Object(retval); 32 | console.log("retval type:", obj.$class, obj.$className); 33 | console.log("old retval value:", obj.toString()); 34 | 35 | // change retval 36 | var retnew = ObjC.classes.NSString.stringWithString_("false"); 37 | retval.replace(retnew); 38 | console.log("new retval value:", obj.toString()); 39 | } 40 | }); 41 | 42 | } else { 43 | send("error: Objective-C Runtime is not available!"); 44 | } 45 | -------------------------------------------------------------------------------- /frida-scripts/raptor_frida_ios_call.js: -------------------------------------------------------------------------------- 1 | /* 2 | * raptor_frida_ios_*.js - Frida script snippets for iOS 3 | * Copyright (c) 2017 Marco Ivaldi 4 | * 5 | * Frida.re JS script snippets for iOS/ObjC instrumentation. 6 | * See https://www.frida.re/ and https://codeshare.frida.re/ 7 | * for further information on this powerful tool. 8 | * 9 | * "We want to help others achieve interop through reverse 10 | * engineering" -- @oleavr 11 | * 12 | * Many thanks to Maurizio Agazzini 13 | * and Federico Dotta . 14 | * 15 | * Example usage: 16 | * # frida -U -f com.xxx.yyy -l raptor_frida_ios.js --no-pause 17 | */ 18 | 19 | if (ObjC.available) { 20 | 21 | // Call an Objective-C method with arbitrary parameters 22 | 23 | var oldImpl = ObjC.classes.MyClass["+ sendStrings:array:"]; 24 | 25 | Interceptor.attach(oldImpl.implementation, { 26 | 27 | onEnter: function(args) { 28 | console.log("info: entered sendStrings"); 29 | 30 | // 1st arg 31 | var obj = ObjC.Object(args[2]); 32 | console.log("args[2] type:", obj.$class, obj.$className); 33 | console.log("args[2] value:", obj.toString()); 34 | 35 | // 2nd arg 36 | var obj = ObjC.Object(args[3]); 37 | console.log("args[3] type:", obj.$class, obj.$className); 38 | console.log("args[3] value:", obj.toString()); 39 | 40 | // 2nd arg's contents (array) 41 | for (i = 0; i < obj.count(); i++) 42 | console.log(ObjC.Object(obj.objectAtIndex_(i)).$class); 43 | }, 44 | 45 | onLeave: function(retval) { 46 | console.log("info: exiting sendStrings"); 47 | 48 | // retval 49 | var obj = ObjC.Object(retval); 50 | console.log("retval type:", obj.$class, obj.$className); 51 | console.log("retval value:", obj.toString()); 52 | } 53 | 54 | }); 55 | 56 | // build 1st arg (string) 57 | // "somestring" 58 | var arg1 = ObjC.classes.NSString.stringWithString_("somestring"); 59 | 60 | // build 2nd arg (NSMutableArray) 61 | // ( 62 | // "foo", 63 | // "bar", 64 | // "someotherstring" 65 | // ) 66 | var arg2_1 = ObjC.classes.NSString.stringWithString_("foo"); 67 | var arg2_2 = ObjC.classes.NSString.stringWithString_("bar"); 68 | var arg2_3 = ObjC.classes.NSString.stringWithString_("someotherstring"); 69 | var arg2 = ObjC.classes.NSMutableArray.alloc().init(); 70 | arg2.addObject_(arg2_1); 71 | arg2.addObject_(arg2_2); 72 | arg2.addObject_(arg2_3); 73 | 74 | // call the target method 75 | var token = ObjC.classes.MyClass.sendStrings_array_(arg1, arg2); 76 | console.log(token.toString()); 77 | 78 | } else { 79 | send("error: Objective-C Runtime is not available!"); 80 | } 81 | -------------------------------------------------------------------------------- /frida-scripts/raptor_frida_ios_debug.js: -------------------------------------------------------------------------------- 1 | /* 2 | * raptor_frida_ios_*.js - Frida script snippets for iOS 3 | * Copyright (c) 2017 Marco Ivaldi 4 | * 5 | * Frida.re JS script snippets for iOS/ObjC instrumentation. 6 | * See https://www.frida.re/ and https://codeshare.frida.re/ 7 | * for further information on this powerful tool. 8 | * 9 | * "We want to help others achieve interop through reverse 10 | * engineering" -- @oleavr 11 | * 12 | * Many thanks to Maurizio Agazzini 13 | * and Federico Dotta . 14 | * 15 | * Example usage: 16 | * # frida -U -f com.xxx.yyy -l raptor_frida_ios.js --no-pause 17 | */ 18 | 19 | if (ObjC.available) { 20 | 21 | // Debug a method 22 | 23 | var oldImpl = ObjC.classes.KeychainManager["+ readKey:"]; 24 | 25 | // console.log(ptr(oldImpl.implementation)); // DEBUG 26 | 27 | Interceptor.attach(oldImpl.implementation, { 28 | 29 | onEnter: function(args) { 30 | 31 | // debug only the intended calls 32 | this.flag = 0; 33 | //if (ObjC.Object(args[2]).toString() == "1234567890abcdef1234567890abcdef12345678") 34 | this.flag = 1; 35 | 36 | if (this.flag) { 37 | console.log("info: entered method"); 38 | 39 | // 1st arg 40 | if (args[2]) { 41 | var obj = ObjC.Object(args[2]); 42 | console.log("args[2] type:", obj.$class, obj.$className); 43 | console.log("args[2] value:", obj.toString()); 44 | } 45 | 46 | // 2nd arg 47 | if (args[3]) { 48 | var obj = ObjC.Object(args[3]); 49 | console.log("args[3] type:", obj.$class, obj.$className); 50 | console.log("args[3] value:", obj.toString()); 51 | } 52 | } 53 | }, 54 | 55 | onLeave: function(retval) { 56 | 57 | if (this.flag) { 58 | console.log("info: exiting method"); 59 | 60 | // retval 61 | if (retval) { 62 | var obj = ObjC.Object(retval); 63 | console.log("retval type:", obj.$class, obj.$className); 64 | console.log("retval value:", obj.toString()); 65 | } 66 | } 67 | } 68 | 69 | }); 70 | 71 | } else { 72 | send("error: Objective-C Runtime is not available!"); 73 | } 74 | -------------------------------------------------------------------------------- /frida-scripts/raptor_frida_ios_enum.js: -------------------------------------------------------------------------------- 1 | /* 2 | * raptor_frida_ios_enum.js - ObjC class/method enumerator 3 | * Copyright (c) 2017 Marco Ivaldi 4 | * 5 | * Frida.re JS functions to enumerate ObjC classes and 6 | * methods declared in an iOS app. See https://www.frida.re/ 7 | * and https://codeshare.frida.re/ for further information on 8 | * this powerful tool. 9 | * 10 | * "We want to help others achieve interop through reverse 11 | * engineering" -- @oleavr 12 | * 13 | * Example usage: 14 | * # frida -U -f com.target.app -l raptor_frida_ios_enum.js --no-pause 15 | * 16 | * Get the latest version at: 17 | * https://github.com/0xdea/frida-scripts/ 18 | */ 19 | 20 | // enumerate all ObjC classes 21 | function enumAllClasses() 22 | { 23 | var allClasses = []; 24 | 25 | for (var aClass in ObjC.classes) { 26 | if (ObjC.classes.hasOwnProperty(aClass)) { 27 | allClasses.push(aClass); 28 | } 29 | } 30 | 31 | return allClasses; 32 | } 33 | 34 | // find all ObjC classes that match a pattern 35 | function findClasses(pattern) 36 | { 37 | var allClasses = enumAllClasses(); 38 | var foundClasses = []; 39 | 40 | allClasses.forEach(function(aClass) { 41 | if (aClass.match(pattern)) { 42 | foundClasses.push(aClass); 43 | } 44 | }); 45 | 46 | return foundClasses; 47 | } 48 | 49 | // enumerate all methods declared in an ObjC class 50 | function enumMethods(targetClass) 51 | { 52 | var ownMethods = ObjC.classes[targetClass].$ownMethods; 53 | 54 | return ownMethods; 55 | } 56 | 57 | // enumerate all methods declared in all ObjC classes 58 | function enumAllMethods() 59 | { 60 | var allClasses = enumAllClasses(); 61 | var allMethods = {}; 62 | 63 | allClasses.forEach(function(aClass) { 64 | enumMethods(aClass).forEach(function(method) { 65 | if (!allMethods[aClass]) allMethods[aClass] = []; 66 | allMethods[aClass].push(method); 67 | }); 68 | }); 69 | 70 | return allMethods; 71 | } 72 | 73 | // find all ObjC methods that match a pattern 74 | function findMethods(pattern) 75 | { 76 | var allMethods = enumAllMethods(); 77 | var foundMethods = {}; 78 | 79 | for (var aClass in allMethods) { 80 | allMethods[aClass].forEach(function(method) { 81 | if (method.match(pattern)) { 82 | if (!foundMethods[aClass]) foundMethods[aClass] = []; 83 | foundMethods[aClass].push(method); 84 | } 85 | }); 86 | } 87 | 88 | return foundMethods; 89 | } 90 | 91 | // usage examples 92 | if (ObjC.available) { 93 | 94 | // enumerate all classes 95 | /* 96 | var a = enumAllClasses(); 97 | a.forEach(function(s) { 98 | console.log(s); 99 | }); 100 | */ 101 | 102 | // find classes that match a pattern 103 | /* 104 | var a = findClasses(/password/i); 105 | a.forEach(function(s) { 106 | console.log(s); 107 | }); 108 | */ 109 | 110 | // enumerate all methods in a class 111 | /* 112 | var a = enumMethods("PasswordManager") 113 | a.forEach(function(s) { 114 | console.log(s); 115 | }); 116 | */ 117 | 118 | // enumerate all methods 119 | /* 120 | var d = enumAllMethods(); 121 | for (k in d) { 122 | console.log(k); 123 | d[k].forEach(function(s) { 124 | console.log("\t" + s); 125 | }); 126 | } 127 | */ 128 | 129 | // find methods that match a pattern 130 | /* 131 | var d = findMethods(/password/i); 132 | for (k in d) { 133 | console.log(k); 134 | d[k].forEach(function(s) { 135 | console.log("\t" + s); 136 | }); 137 | } 138 | */ 139 | 140 | } else { 141 | send("error: Objective-C Runtime is not available!"); 142 | } 143 | -------------------------------------------------------------------------------- /frida-scripts/raptor_frida_ios_lowlevel1.js: -------------------------------------------------------------------------------- 1 | /* 2 | * raptor_frida_ios_*.js - Frida script snippets for iOS 3 | * Copyright (c) 2017 Marco Ivaldi 4 | * 5 | * Frida.re JS script snippets for iOS/ObjC instrumentation. 6 | * See https://www.frida.re/ and https://codeshare.frida.re/ 7 | * for further information on this powerful tool. 8 | * 9 | * "We want to help others achieve interop through reverse 10 | * engineering" -- @oleavr 11 | * 12 | * Many thanks to Maurizio Agazzini 13 | * and Federico Dotta . 14 | * 15 | * Example usage: 16 | * # frida -U -f com.xxx.yyy -l raptor_frida_ios.js --no-pause 17 | */ 18 | 19 | if (ObjC.available) { 20 | 21 | // Low-level intercept and binary data print example 22 | 23 | Interceptor.attach(Module.findExportByName("libSystem.B.dylib", "CCCrypt"), { 24 | 25 | onEnter: function(args) { 26 | console.log("\n*** entered CCCrypt ***"); 27 | console.log("\nkey:"); 28 | console.log(hexdump(ptr(args[3]), { 29 | offset: 0, 30 | length: parseInt(args[4]), 31 | header: true, 32 | ansi: true 33 | })); 34 | console.log("\ndataIn:"); 35 | console.log(hexdump(ptr(args[6]), { 36 | offset: 0, 37 | length: parseInt(args[7]), 38 | header: true, 39 | ansi: true 40 | })); 41 | this.ret = args[8]; 42 | this.retlen = args[9]; 43 | }, 44 | 45 | onLeave: function(retval) { 46 | console.log("\ndataOut:"); 47 | console.log(hexdump(ptr(this.ret), { 48 | offset: 0, 49 | length: parseInt(this.retlen), 50 | header: true, 51 | ansi: true 52 | })); 53 | console.log("\n*** exiting CCCrypt ***"); 54 | } 55 | }); 56 | 57 | } else { 58 | send("error: Objective-C Runtime is not available!"); 59 | } 60 | -------------------------------------------------------------------------------- /frida-scripts/raptor_frida_ios_lowlevel2.js: -------------------------------------------------------------------------------- 1 | /* 2 | * raptor_frida_ios_*.js - Frida script snippets for iOS 3 | * Copyright (c) 2017 Marco Ivaldi 4 | * 5 | * Frida.re JS script snippets for iOS/ObjC instrumentation. 6 | * See https://www.frida.re/ and https://codeshare.frida.re/ 7 | * for further information on this powerful tool. 8 | * 9 | * "We want to help others achieve interop through reverse 10 | * engineering" -- @oleavr 11 | * 12 | * Many thanks to Maurizio Agazzini 13 | * and Federico Dotta . 14 | * 15 | * Example usage: 16 | * # frida -U -f com.xxx.yyy -l raptor_frida_ios.js --no-pause 17 | */ 18 | 19 | if (ObjC.available) { 20 | 21 | // Low-level intercept and backtrace example 22 | 23 | Interceptor.attach(Module.findExportByName("libSystem.B.dylib", "open"), { 24 | 25 | onEnter: function(args) { 26 | 27 | // debug only the intended calls 28 | this.flag = 0; 29 | var filename = Memory.readCString(ptr(args[0])); 30 | 31 | //if (filename.indexOf("Bundle") == -1 && filename.indexOf("Cache") == -1) // exclusion list 32 | if (filename.indexOf("my.interesting.file") != -1) // inclusion list 33 | this.flag = 1; 34 | 35 | if (this.flag) { 36 | console.log("\nopen called from:\n", 37 | Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("\n"), 38 | "\n"); 39 | //console.log(filename); // DEBUG 40 | } 41 | } 42 | }); 43 | 44 | } else { 45 | send("error: Objective-C Runtime is not available!"); 46 | } 47 | -------------------------------------------------------------------------------- /frida-scripts/raptor_frida_ios_stalker.js: -------------------------------------------------------------------------------- 1 | /* 2 | * raptor_frida_ios_*.js - Frida script snippets for iOS 3 | * Copyright (c) 2017 Marco Ivaldi 4 | * 5 | * Frida.re JS script snippets for iOS/ObjC instrumentation. 6 | * See https://www.frida.re/ and https://codeshare.frida.re/ 7 | * for further information on this powerful tool. 8 | * 9 | * "We want to help others achieve interop through reverse 10 | * engineering" -- @oleavr 11 | * 12 | * Many thanks to Maurizio Agazzini 13 | * and Federico Dotta . 14 | * 15 | * Example usage: 16 | * # frida -U -f com.xxx.yyy -l raptor_frida_ios.js --no-pause 17 | */ 18 | 19 | // is stalker active? 20 | var active = false; 21 | 22 | // generic stalker 23 | function stalk(pattern) 24 | { 25 | var type = (pattern.indexOf(' ') === -1) ? 'module' : 'objc'; 26 | var res = new ApiResolver(type); 27 | var matches = res.enumerateMatchesSync(pattern); 28 | var targets = uniqBy(matches, JSON.stringify); 29 | 30 | targets.forEach(function(target) { 31 | stalkFunction(target.address, target.name); 32 | }); 33 | } 34 | 35 | // remove duplicates from array 36 | function uniqBy(array, key) 37 | { 38 | var seen = {}; 39 | return array.filter(function(item) { 40 | var k = key(item); 41 | return seen.hasOwnProperty(k) ? false : (seen[k] = true); 42 | }); 43 | } 44 | 45 | // actual stalker function 46 | function stalkFunction(impl, name) 47 | { 48 | console.log("Stalking " + name); 49 | 50 | Interceptor.attach(impl, { 51 | 52 | onEnter: function(args) { 53 | 54 | // return if stalker is already active 55 | if (active) 56 | return; 57 | 58 | // initialize flag 59 | var flag = {}; 60 | this.flag = flag; 61 | 62 | // activate stalker 63 | active = true; 64 | // console.warn("\n*** Stalker activated on " + name); // DEBUG 65 | 66 | Stalker.follow({ 67 | 68 | events: { 69 | call: true, // CALL instructions: yes please 70 | ret: false, // RET instructions: no thanks 71 | exec: false // all instructions: no thanks 72 | }, 73 | 74 | // onReceive: function (events) { // TODO 75 | // Called with `events` containing a binary blob which is one or more 76 | // GumEvent structs. See `gumevent.h` for the format. This is obviously a 77 | // terrible API that is subject to change once a better trade-off between 78 | // ease-of-use and performance has been found. 79 | // }, 80 | 81 | onCallSummary: function (summary) { 82 | // Called with `summary` being a key-value mapping of call target to number 83 | // of calls, in the current time window. You would typically implement this 84 | // instead of `onReceive` for efficiency. 85 | console.log(); 86 | Object.keys(summary).forEach(function (target) { 87 | console.log(name + " > " + DebugSymbol.fromAddress(ptr(target)).toString()); 88 | flag[target] = true; 89 | }); 90 | } 91 | 92 | }); 93 | }, 94 | 95 | onLeave: function(retval) { 96 | 97 | // return if no flag 98 | var flag = this.flag; 99 | if (flag === undefined) 100 | return; 101 | 102 | // deactivate stalker 103 | Stalker.unfollow(); 104 | active = false; 105 | // console.warn("*** Stalker deactivated on " + name + "\n"); // DEBUG 106 | } 107 | 108 | }); 109 | } 110 | 111 | // some examples 112 | if (ObjC.available) { 113 | 114 | // stalk("*[OWSMessageSender *]"); // Signal 115 | // stalk("-[OWSMessageSender attemptToSendMessage*]"); // Signal 116 | // stalk("-[OWSMessageSender tag]"); // Signal 117 | // stalk("*[* *Password:*]"); 118 | // stalk("exports:libSystem.B.dylib!open"); 119 | // stalk("exports:*!open*"); 120 | 121 | } else { 122 | send("error: Objective-C Runtime is not available!"); 123 | } 124 | -------------------------------------------------------------------------------- /frida-scripts/raptor_frida_ios_touchid.js: -------------------------------------------------------------------------------- 1 | /* 2 | * raptor_frida_ios_*.js - Frida script snippets for iOS 3 | * Copyright (c) 2017 Marco Ivaldi 4 | * 5 | * Frida.re JS script snippets for iOS/ObjC instrumentation. 6 | * See https://www.frida.re/ and https://codeshare.frida.re/ 7 | * for further information on this powerful tool. 8 | * 9 | * "We want to help others achieve interop through reverse 10 | * engineering" -- @oleavr 11 | * 12 | * Useful snippet ripped from @henryhoggard's Needle module 13 | * "hooking/frida/script_touch-id-bypass". 14 | * 15 | * Example usage: 16 | * # frida -U -f com.xxx.yyy -l raptor_frida_ios.js --no-pause 17 | * 18 | */ 19 | 20 | if (ObjC.available) { 21 | 22 | /* 23 | * method to hook: 24 | * - (void)evaluatePolicy:(LAPolicy)policy 25 | * localizedReason:(NSString *)localizedReason 26 | * reply:(void (^)(BOOL success, NSError *error))reply; 27 | */ 28 | var hook = ObjC.classes.LAContext["- evaluatePolicy:localizedReason:reply:"]; 29 | 30 | Interceptor.attach(hook.implementation, { 31 | 32 | onEnter: function(args) { 33 | console.log("info: hooking Touch ID"); 34 | 35 | var block = new ObjC.Block(args[4]); // hook the reply callback 36 | var callback = block.implementation; 37 | block.implementation = function(error, value) { 38 | var reply = callback(1, null); // always return YES 39 | return reply; 40 | }; 41 | } 42 | }); 43 | 44 | } else { 45 | send("error: Objective-C Runtime is not available!"); 46 | } 47 | -------------------------------------------------------------------------------- /frida-scripts/raptor_frida_ios_trace.js: -------------------------------------------------------------------------------- 1 | /* 2 | * raptor_frida_ios_trace.js - ObjC & Module tracer for iOS 3 | * Copyright (c) 2017 Marco Ivaldi 4 | * 5 | * Frida.re JS script to trace arbitrary ObjC methods and 6 | * Module functions for debugging and reverse engineering. 7 | * See https://www.frida.re/ and https://codeshare.frida.re/ 8 | * for further information on this powerful tool. 9 | * 10 | * "We want to help others achieve interop through reverse 11 | * engineering" -- @oleavr 12 | * 13 | * Many thanks to @inode-, @federicodotta, @mrmacete, and 14 | * @dankluev. 15 | * 16 | * Example usage: 17 | * # frida -U -f com.target.app -l raptor_frida_ios_trace.js --no-pause 18 | * 19 | * Get the latest version at: 20 | * https://github.com/0xdea/frida-scripts/ 21 | */ 22 | 23 | // generic trace 24 | function trace(pattern) 25 | { 26 | var type = (pattern.indexOf(" ") === -1) ? "module" : "objc"; 27 | var res = new ApiResolver(type); 28 | var matches = res.enumerateMatchesSync(pattern); 29 | var targets = uniqBy(matches, JSON.stringify); 30 | 31 | targets.forEach(function(target) { 32 | if (type === "objc") 33 | traceObjC(target.address, target.name); 34 | else if (type === "module") 35 | traceModule(target.address, target.name); 36 | }); 37 | } 38 | 39 | // remove duplicates from array 40 | function uniqBy(array, key) 41 | { 42 | var seen = {}; 43 | return array.filter(function(item) { 44 | var k = key(item); 45 | return seen.hasOwnProperty(k) ? false : (seen[k] = true); 46 | }); 47 | } 48 | 49 | // trace ObjC methods 50 | function traceObjC(impl, name) 51 | { 52 | console.log("Tracing " + name); 53 | 54 | Interceptor.attach(impl, { 55 | 56 | onEnter: function(args) { 57 | 58 | // debug only the intended calls 59 | this.flag = 0; 60 | // if (ObjC.Object(args[2]).toString() === "1234567890abcdef1234567890abcdef12345678") 61 | this.flag = 1; 62 | 63 | if (this.flag) { 64 | console.warn("\n*** entered " + name); 65 | 66 | // print full backtrace 67 | // console.log("\nBacktrace:\n" + Thread.backtrace(this.context, Backtracer.ACCURATE) 68 | // .map(DebugSymbol.fromAddress).join("\n")); 69 | 70 | // print caller 71 | console.log("\nCaller: " + DebugSymbol.fromAddress(this.returnAddress)); 72 | 73 | // print args 74 | if (name.indexOf(":") !== -1) { 75 | console.log(); 76 | var par = name.split(":"); 77 | par[0] = par[0].split(" ")[1]; 78 | for (var i = 0; i < par.length - 1; i++) 79 | printArg(par[i] + ": ", args[i + 2]); 80 | } 81 | } 82 | }, 83 | 84 | onLeave: function(retval) { 85 | 86 | if (this.flag) { 87 | // print retval 88 | printArg("\nretval: ", retval); 89 | console.warn("\n*** exiting " + name); 90 | } 91 | } 92 | 93 | }); 94 | } 95 | 96 | // trace Module functions 97 | function traceModule(impl, name) 98 | { 99 | console.log("Tracing " + name); 100 | 101 | Interceptor.attach(impl, { 102 | 103 | onEnter: function(args) { 104 | 105 | // debug only the intended calls 106 | this.flag = 0; 107 | // var filename = Memory.readCString(ptr(args[0])); 108 | // if (filename.indexOf("Bundle") === -1 && filename.indexOf("Cache") === -1) // exclusion list 109 | // if (filename.indexOf("my.interesting.file") !== -1) // inclusion list 110 | this.flag = 1; 111 | 112 | if (this.flag) { 113 | console.warn("\n*** entered " + name); 114 | 115 | // print backtrace 116 | console.log("\nBacktrace:\n" + Thread.backtrace(this.context, Backtracer.ACCURATE) 117 | .map(DebugSymbol.fromAddress).join("\n")); 118 | } 119 | }, 120 | 121 | onLeave: function(retval) { 122 | 123 | if (this.flag) { 124 | // print retval 125 | printArg("\nretval: ", retval); 126 | console.warn("\n*** exiting " + name); 127 | } 128 | } 129 | 130 | }); 131 | } 132 | 133 | // print helper 134 | function printArg(desc, arg) 135 | { 136 | try { 137 | console.log(desc + ObjC.Object(arg)); 138 | } 139 | catch(err) { 140 | console.log(desc + arg); 141 | } 142 | } 143 | 144 | // usage examples 145 | if (ObjC.available) { 146 | 147 | // trace("-[CredManager setPassword:]"); 148 | // trace("*[CredManager *]"); 149 | // trace("*[* *Password:*]"); 150 | // trace("exports:libSystem.B.dylib!CCCrypt"); 151 | // trace("exports:libSystem.B.dylib!open"); 152 | // trace("exports:*!open*"); 153 | 154 | } else { 155 | send("error: Objective-C Runtime is not available!"); 156 | } 157 | -------------------------------------------------------------------------------- /frida-snippets-master/gif/README.md: -------------------------------------------------------------------------------- 1 | . 2 | -------------------------------------------------------------------------------- /frida-snippets-master/gif/intercept_open_chrome_android.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DargonLee/ios-frida-lib/6c47ad6bced609f31a9c62846db341cf4dc6a5f8/frida-snippets-master/gif/intercept_open_chrome_android.gif -------------------------------------------------------------------------------- /frida-snippets-master/scripts/WIP_android_ipc.js: -------------------------------------------------------------------------------- 1 | var ContextWrapper = Java.use("android.content.ContextWrapper"); 2 | 3 | ContextWrapper.sendBroadcast.overload("android.content.Intent").implementation = function(intent) { 4 | send(JSON.stringify({ 5 | _intent: intent.toString(), 6 | extras: intent.getExtras() ? intent.getExtras().toString() : 'null', 7 | flags: intent.getFlags().toString() 8 | })); 9 | return this.sendBroadcast.overload("android.content.Intent").apply(this, arguments); 10 | } 11 | 12 | ContextWrapper.sendBroadcast.overload("android.content.Intent", "java.lang.String").implementation = function(intent, receiverPermission) { 13 | send(JSON.stringify({ 14 | 15 | }); 16 | return this.sendBroadcast.overload("android.content.Intent", "java.lang.String").apply(this, arguments); 17 | } 18 | 19 | 20 | ContextWrapper.sendStickyBroadcast.overload("android.content.Intent").implementation = function(intent) { 21 | 22 | return this.sendStickyBroadcast.overload("android.content.Intent").apply(this, arguments); 23 | } 24 | 25 | ContextWrapper.startActivity.overload("android.content.Intent").implementation = function(intent) { 26 | 27 | return this.startActivity.overload("android.content.Intent").apply(this, arguments); 28 | } 29 | -------------------------------------------------------------------------------- /frida-snippets-master/scripts/WIP_dump_dynamically_created_files.js: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env node 2 | // Work in progress 3 | // TBD how to show diff.. use git or just git style 4 | const fs = require('fs'); 5 | const frida = require('frida'); 6 | 7 | const APP_ID = process.argv[2]; 8 | 9 | const source = ` 10 | Java.perform(function() { 11 | 12 | var openedfile = ""; 13 | var data = { 14 | "file": "", 15 | "content": [] 16 | }; 17 | var isOpen = false; 18 | var index = 0; 19 | 20 | var fos = Java.use('java.io.FileOutputStream'); 21 | 22 | var fos_construct_2 = fos.$init.overload('java.lang.String'); 23 | var fos_construct_3 = fos.$init.overload('java.io.File'); 24 | var fos_construct_4 = fos.$init.overload('java.lang.String', 'boolean'); 25 | var fos_construct_5 = fos.$init.overload('java.io.File', 'boolean'); 26 | 27 | var fos_write_1 = fos.write.overload('[B', 'int', 'int'); 28 | 29 | var fos_close = fos.close; 30 | 31 | function dump(data) { 32 | console.log("Got " + data["content"].length + " bytes!"); 33 | var tmp_name = openedfile.split("/"); 34 | tmp_name = tmp_name[tmp_name.length - 1]; 35 | data["file"] = tmp_name; 36 | send(data); 37 | data["content"] = []; 38 | index = 0; 39 | } 40 | 41 | fos_construct_2.implementation = function(file) { 42 | var filename = file; 43 | if (openedfile != filename) { 44 | openedfile = filename; 45 | console.log("File opened for write " + filename); 46 | isOpen = true; 47 | } 48 | return fos_construct_2.call(this, file); 49 | } 50 | 51 | fos_construct_3.implementation = function(file) { 52 | var filename = file.getAbsolutePath(); 53 | if (openedfile != filename) { 54 | openedfile = filename; 55 | console.log("File opened for write " + filename); 56 | isOpen = true; 57 | } 58 | return fos_construct_3.call(this, file); 59 | } 60 | 61 | fos_construct_4.implementation = function(file, true_false) { 62 | var filename = file; 63 | if (openedfile != filename) { 64 | openedfile = filename; 65 | console.log("File opened for write " + filename); 66 | isOpen = true; 67 | } 68 | return fos_construct_4.call(this, file, true_false); 69 | } 70 | 71 | fos_construct_5.implementation = function(file, true_false) { 72 | var filename = file.getAbsolutePath(); 73 | if (openedfile != filename) { 74 | openedfile = filename; 75 | console.log("File opened for write " + filename); 76 | isOpen = true; 77 | } 78 | return fos_construct_5.call(this, file, true_false); 79 | } 80 | 81 | fos_write_1.implementation = function(arr, offset, length) { 82 | var i = 0; 83 | for (i = offset; i < length; i = i + 1) { 84 | data["content"][index] = arr[i]; 85 | index = index + 1; 86 | } 87 | return fos_write_1.call(this, arr, offset, length); 88 | } 89 | 90 | fos_close.implementation = function() { 91 | dump(data); 92 | return fos_close.call(this); 93 | } 94 | 95 | }); 96 | `; 97 | 98 | function stop() { // cleanup, TODO add session.detach ? 99 | if (script !== null) { 100 | script.unload().then(() => { 101 | script = null; 102 | console.log('[!] Script unloaded'); 103 | }).catch(console.error); 104 | } 105 | } 106 | 107 | async function Main() { 108 | 109 | let device = await frida.getUsbDevice(); 110 | let pid = await device.spawn([APP_ID]); 111 | let session = await device.attach(pid); 112 | let script = await session.createScript(source); 113 | 114 | script.message.connect(msg => { 115 | if (msg['type'] === 'send') { 116 | let payload = msg['payload']; 117 | if (typeof payload === 'object') { 118 | console.log('[D]', payload['file'], '\n\n', payload['content']); 119 | } 120 | } else { 121 | console.error('[!]', msg, '\n', msg['stack']); 122 | } 123 | }); 124 | 125 | await script.load(); 126 | await device.resume(pid); 127 | 128 | process.stdin.resume(); // keep process running 129 | process.on('SIGTERM', stop); 130 | process.on('SIGINT', stop); 131 | console.log('...'); 132 | } 133 | 134 | Main().catch(console.error); 135 | -------------------------------------------------------------------------------- /frida-snippets-master/scripts/WIP_ios_app_info.js: -------------------------------------------------------------------------------- 1 | function dictFromNSDictionary(nsDict) { 2 | var jsDict = {}; 3 | var keys = nsDict.allKeys(); 4 | var count = keys.count(); 5 | for (var i = 0; i < count; i++) { 6 | var key = keys.objectAtIndex_(i); 7 | var value = nsDict.objectForKey_(key); 8 | jsDict[key.toString()] = value.toString(); 9 | } 10 | return jsDict; 11 | } 12 | 13 | function arrayFromNSArray(nsArray) { 14 | var jsArray = []; 15 | var count = nsArray.count(); 16 | for (var i = 0; i < count; i++) { 17 | jsArray[i] = nsArray.objectAtIndex_(i).toString(); 18 | } 19 | return jsArray; 20 | } 21 | 22 | function infoDictionary() { 23 | if (ObjC.available && "NSBundle" in ObjC.classes) { 24 | var info = ObjC.classes.NSBundle.mainBundle().infoDictionary(); 25 | return dictFromNSDictionary(info); 26 | } 27 | return null; 28 | } 29 | 30 | function infoLookup(key) { 31 | if (ObjC.available && "NSBundle" in ObjC.classes) { 32 | var info = ObjC.classes.NSBundle.mainBundle().infoDictionary(); 33 | var value = info.objectForKey_(key); 34 | if (value === null) { 35 | return value; 36 | } else if (value.class().toString() === "__NSCFArray") { 37 | return arrayFromNSArray(value); 38 | } else if (value.class().toString() === "__NSCFDictionary") { 39 | return dictFromNSDictionary(value); 40 | } else { 41 | return value.toString(); 42 | } 43 | } 44 | return null; 45 | } 46 | 47 | console.warn(JSON.stringify({ 48 | name: infoLookup("CFBundleName"), 49 | bundleId: ObjC.classes.NSBundle.mainBundle().bundleIdentifier().toString(), 50 | version: infoLookup("CFBundleVersion"), 51 | path: { 52 | bundle: ObjC.classes.NSBundle.mainBundle().bundlePath().toString(), 53 | data: ObjC.classes.NSProcessInfo.processInfo().environment().objectForKey_("HOME").toString(), 54 | binary: ObjC.classes.NSBundle.mainBundle().executablePath().toString() 55 | }, 56 | info: infoDictionary() 57 | }, null, 2)) 58 | -------------------------------------------------------------------------------- /frida-snippets-master/scripts/WIP_unpack_64.js: -------------------------------------------------------------------------------- 1 | var art_DexFile_OpenMemory = Module.findExportByName('libart.so','_ZN3art7DexFile10OpenMemoryEPKhmRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEjPNS_6MemMapEPKNS_10OatDexFileEPS9_'); // art::DexFile::OpenMemory > 64bit version 2 | console.log(art_DexFile_OpenMemory); 3 | Interceptor.attach(art_DexFile_OpenMemory, { 4 | onEnter: function (_args) { 5 | var begin = this.context.x0; 6 | this.o = {}; 7 | this.o.begin = begin; 8 | this.o.magic = Memory.readUtf8String(begin); 9 | var address = parseInt(begin, 16) + 0x20; 10 | var dexSize = Memory.readInt(ptr(address)); 11 | this.o.dexSize = dexSize; 12 | var file = new File('/sdcard/unpack/' + dexSize + '.dex', 'wb'); 13 | file.write(Memory.readByteArray(begin, dexSize)); 14 | file.flush(); 15 | file.close(); 16 | }, 17 | onLeave: function (retval) { 18 | this.o.retval = retval; 19 | console.log(JSON.stringify(this.o, null, 2)); 20 | } 21 | }); 22 | -------------------------------------------------------------------------------- /frida-snippets-master/scripts/android_proxy.js: -------------------------------------------------------------------------------- 1 | // open proxy (not working) 2 | Java.perform(function() { 3 | Java.use('android.net.Proxy').setHttpProxySystemProperty(Java.use('android.net.ProxyInfo').buildDirectProxy('1.0.0.1', 8081)); 4 | }); 5 | -------------------------------------------------------------------------------- /frida-snippets-master/scripts/check_for_native_calls.py: -------------------------------------------------------------------------------- 1 | # Check for native library calls and return a stacktrace 2 | import sys 3 | import frida 4 | from pprint import pprint 5 | 6 | 7 | def on_message(m, _data): 8 | if m['type'] == 'send': 9 | print(m['payload']) 10 | else: 11 | if m['type'] == 'error': 12 | pprint(m) 13 | exit(2) 14 | 15 | 16 | jscode = """ 17 | Java.perform(function() { 18 | 19 | var SystemDef = Java.use('java.lang.System'); 20 | 21 | var RuntimeDef = Java.use('java.lang.Runtime'); 22 | 23 | var exceptionClass = Java.use('java.lang.Exception'); 24 | 25 | var SystemLoad_1 = SystemDef.load.overload('java.lang.String'); 26 | 27 | var SystemLoad_2 = SystemDef.loadLibrary.overload('java.lang.String'); 28 | 29 | var RuntimeLoad_1 = RuntimeDef.load.overload('java.lang.String'); 30 | 31 | var RuntimeLoad_2 = RuntimeDef.loadLibrary.overload('java.lang.String'); 32 | 33 | var ThreadDef = Java.use('java.lang.Thread'); 34 | 35 | var ThreadObj = ThreadDef.$new(); 36 | 37 | SystemLoad_1.implementation = function(library) { 38 | send("[1] Loading dynamic library => " + library); 39 | stackTrace(); 40 | return SystemLoad_1.call(this, library); 41 | } 42 | 43 | SystemLoad_2.implementation = function(library) { 44 | send("[2] Loading dynamic library => " + library); 45 | stackTrace(); 46 | SystemLoad_2.call(this, library); 47 | return; 48 | } 49 | 50 | RuntimeLoad_1.implementation = function(library) { 51 | send("[3] Loading dynamic library => " + library); 52 | stackTrace(); 53 | RuntimeLoad_1.call(this, library); 54 | return; 55 | } 56 | 57 | RuntimeLoad_2.implementation = function(library) { 58 | send("[4] Loading dynamic library => " + library); 59 | stackTrace(); 60 | RuntimeLoad_2.call(this, library); 61 | return; 62 | } 63 | 64 | function stackTrace() { 65 | var stack = ThreadObj.currentThread().getStackTrace(); 66 | for (var i = 0; i < stack.length; i++) { 67 | send(i + " => " + stack[i].toString()); 68 | } 69 | send("--------------------------------------------------------------------------"); 70 | } 71 | 72 | }); 73 | """ 74 | APP = 'com.app' 75 | device = frida.get_usb_device() 76 | pid = device.spawn([APP]) 77 | session = device.attach(pid) 78 | script = session.create_script(jscode) 79 | print("[*] Intercepting [{}]".format(pid)) 80 | script.on('message', on_message) 81 | script.load() 82 | device.resume(APP) 83 | sys.stdin.read() 84 | -------------------------------------------------------------------------------- /frida-snippets-master/scripts/enable_remote_debugging.js: -------------------------------------------------------------------------------- 1 | /* 2 | Enable remote debugging of Android WebViews at Runtime using Frida 3 | run "adb shell dumpsys window windows | grep -E 'mCurrentFocus|mFocusedApp'" to get the current activity 4 | */ 5 | Java.perform(function() { 6 | Java.deoptimizeEverything(); 7 | var injected = false; 8 | Java.choose('com.app.SomeActivity', { 9 | 'onMatch': function(o) { 10 | var Runnable = Java.use('java.lang.Runnable'); 11 | var MyRunnable = Java.registerClass({ 12 | name: 'com.example.MyRunnable', 13 | implements: [Runnable], 14 | methods: { 15 | 'run': function() { 16 | Java.use('android.webkit.WebView').setWebContentsDebuggingEnabled(true); 17 | } 18 | } 19 | }); 20 | var runnable = MyRunnable.$new(); 21 | o.runOnUiThread(runnable); 22 | console.log('\nWebview debug enabled......'); 23 | 24 | }, 25 | 'onComplete': function() { 26 | console.log('completed'); 27 | } 28 | }) 29 | }); 30 | -------------------------------------------------------------------------------- /frida-snippets-master/scripts/enumerateNativeMethods.js: -------------------------------------------------------------------------------- 1 | // $ frida -Uf com.app --no-pause -l scripts.js 2 | var fIntercepted = false; 3 | 4 | function revealNativeMethods() { 5 | if (fIntercepted === true) { 6 | return; 7 | } 8 | var jclassAddress2NameMap = {}; 9 | var androidRunTimeSharedLibrary = "libart.so"; // may change between devices 10 | Module.enumerateSymbolsSync(androidRunTimeSharedLibrary).forEach(function(symbol){ 11 | switch (symbol.name) { 12 | case "_ZN3art3JNI21RegisterNativeMethodsEP7_JNIEnvP7_jclassPK15JNINativeMethodib": 13 | /* 14 | $ c++filt "_ZN3art3JNI21RegisterNativeMethodsEP7_JNIEnvP7_jclassPK15JNINativeMethodib" 15 | art::JNI::RegisterNativeMethods(_JNIEnv*, _jclass*, JNINativeMethod const*, int, bool) 16 | */ 17 | var RegisterNativeMethodsPtr = symbol.address; 18 | console.log("RegisterNativeMethods is at " + RegisterNativeMethodsPtr); 19 | Interceptor.attach(RegisterNativeMethodsPtr, { 20 | onEnter: function(args) { 21 | var methodsPtr = ptr(args[2]); 22 | var methodCount = parseInt(args[3]); 23 | for (var i = 0; i < methodCount; i++) { 24 | var pSize = Process.pointerSize; 25 | /* 26 | https://android.googlesource.com/platform/libnativehelper/+/master/include_jni/jni.h#129 27 | typedef struct { 28 | const char* name; 29 | const char* signature; 30 | void* fnPtr; 31 | } JNINativeMethod; 32 | */ 33 | var structSize = pSize * 3; // JNINativeMethod contains 3 pointers 34 | var namePtr = Memory.readPointer(methodsPtr.add(i * structSize)); 35 | var sigPtr = Memory.readPointer(methodsPtr.add(i * structSize + pSize)); 36 | var fnPtrPtr = Memory.readPointer(methodsPtr.add(i * structSize + (pSize * 2))); 37 | // output schema: className#methodName(arguments)returnVal@address 38 | console.log( 39 | // package & class, replacing forward slash with dot for convenience 40 | jclassAddress2NameMap[args[0]].replace(/\//g, '.') + 41 | '#' + Memory.readCString(namePtr) + // method 42 | Memory.readCString(sigPtr) + // signature (arguments & return type) 43 | '@' + fnPtrPtr // C side address 44 | ); 45 | } 46 | }, 47 | onLeave: function (ignoredReturnValue) {} 48 | }); 49 | break; 50 | case "_ZN3art3JNI9FindClassEP7_JNIEnvPKc": // art::JNI::FindClass 51 | Interceptor.attach(symbol.address, { 52 | onEnter: function(args) { 53 | if (args[1] != null) { 54 | jclassAddress2NameMap[args[0]] = Memory.readCString(args[1]); 55 | } 56 | }, 57 | onLeave: function (ignoredReturnValue) {} 58 | }); 59 | break; 60 | } 61 | }); 62 | fIntercepted = true; 63 | } 64 | 65 | Java.perform(revealNativeMethods); 66 | 67 | // TODO update 68 | // https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md 69 | -------------------------------------------------------------------------------- /frida-snippets-master/scripts/exec_shell_cmd.py: -------------------------------------------------------------------------------- 1 | """ 2 | Execute shell command 3 | For example, list directory contents: 4 | def ls(folder): 5 | cmd = Shell(['/bin/sh', '-c', 'ls -la ' + folder], None) 6 | cmd.exec() 7 | for chunk in cmd.output: 8 | print(chunk.strip().decode()) 9 | """ 10 | import frida 11 | from frida_tools.application import Reactor 12 | import threading 13 | import click 14 | 15 | 16 | class Shell(object): 17 | def __init__(self, argv, env): 18 | self._stop_requested = threading.Event() 19 | self._reactor = Reactor(run_until_return=lambda reactor: self._stop_requested.wait()) 20 | 21 | self._device = frida.get_usb_device() 22 | self._sessions = set() 23 | 24 | self._device.on("child-added", lambda child: self._reactor.schedule(lambda: self._on_child_added(child))) 25 | self._device.on("child-removed", lambda child: self._reactor.schedule(lambda: self._on_child_removed(child))) 26 | self._device.on("output", lambda pid, fd, data: self._reactor.schedule(lambda: self._on_output(pid, fd, data))) 27 | 28 | self.argv = argv 29 | self.env = env 30 | self.output = [] # stdout will pushed into array 31 | 32 | def exec(self): 33 | self._reactor.schedule(lambda: self._start()) 34 | self._reactor.run() 35 | 36 | def _start(self): 37 | click.secho("✔ spawn(argv={})".format(self.argv), fg='green', dim=True) 38 | pid = self._device.spawn(self.argv, env=self.env, stdio='pipe') 39 | self._instrument(pid) 40 | 41 | def _stop_if_idle(self): 42 | if len(self._sessions) == 0: 43 | self._stop_requested.set() 44 | 45 | def _instrument(self, pid): 46 | click.secho("✔ attach(pid={})".format(pid), fg='green', dim=True) 47 | session = self._device.attach(pid) 48 | session.on("detached", lambda reason: self._reactor.schedule(lambda: self._on_detached(pid, session, reason))) 49 | click.secho("✔ enable_child_gating()", fg='green', dim=True) 50 | session.enable_child_gating() 51 | # print("✔ resume(pid={})".format(pid)) 52 | self._device.resume(pid) 53 | self._sessions.add(session) 54 | 55 | def _on_child_added(self, child): 56 | click.secho("⚡ child_added: {}".format(child), fg='green', dim=True) 57 | self._instrument(child.pid) 58 | 59 | @staticmethod 60 | def _on_child_removed(child): 61 | click.secho("⚡ child_removed: {}".format(child), fg='green', dim=True) 62 | 63 | def _on_output(self, pid, fd, data): 64 | # print("⚡ output: pid={}, fd={}, data={}".format(pid, fd, repr(data))) 65 | # fd=0 (input) fd=1(stdout) fd=2(stderr) 66 | if fd != 2: 67 | self.output.append(data) 68 | 69 | def _on_detached(self, pid, session, reason): 70 | click.secho("⚡ detached: pid={}, reason='{}'".format(pid, reason), fg='green', dim=True) 71 | self._sessions.remove(session) 72 | self._reactor.schedule(self._stop_if_idle, delay=0.5) 73 | 74 | @staticmethod 75 | def _on_message(pid, message): 76 | click.secho("⚡ message: pid={}, payload={}".format(pid, message), fg='green', dim=True) 77 | -------------------------------------------------------------------------------- /frida-snippets-master/scripts/extact_ipa.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Extracting IPA from Jailbroken +Frida device 3 | # The IPA will be @ /tmp/ios_ssh/iphonessh/python-client/frida-ios-dump/AppName.ipa 4 | mkdir /tmp/ios_ssh 5 | cd "$_" 6 | sudo apt-get install libgcrypt20-doc gnutls-doc gnutls-bin usbmuxd libimobiledevice* 7 | git clone https://github.com/rcg4u/iphonessh 8 | cd iphonessh/python-client/ 9 | chmod +x * 10 | python2.7 tcprelay.py -t 22:2222 & 11 | TCP_RELAY_PID=$! 12 | git clone https://github.com/AloneMonkey/frida-ios-dump.git 13 | cd frida-ios-dump 14 | git checkout origin/3.x 15 | sudo -H pip3 install -r requirements.txt --upgrade 16 | sudo python3.6 dump.py $1 # com.app.bundle.id 17 | kill $TCP_RELAY_PID 18 | -------------------------------------------------------------------------------- /frida-snippets-master/scripts/how_to_access_inner_class_static_field.md: -------------------------------------------------------------------------------- 1 | ### How to access inner class static field 2 | ``` 3 | package tech.yusi.fridademo; 4 | 5 | public class Jingdong { 6 | private int intResult; 7 | 8 | private final static class a { 9 | final static Jingdong a = new Jingdong(); 10 | } 11 | 12 | 13 | public Jingdong() { 14 | intResult = 0; 15 | } 16 | 17 | public static Jingdong a() { 18 | return a.a; 19 | } 20 | 21 | public static int a(int arg0, int arg1) { 22 | return arg0 + arg1; 23 | } 24 | 25 | 26 | public String a(String arg0, String arg1) { 27 | return arg0 + arg1; 28 | } 29 | } 30 | ``` 31 | 32 | ``` 33 | #!/usr/bin/env python3 34 | # -*- coding: utf-8 -*- 35 | 36 | import frida,sys 37 | 38 | rdev = frida.get_remote_device() 39 | session = rdev.attach("tech.yusi.fridademo") 40 | 41 | def on_message(message ,data): 42 | if message['type'] == 'send': 43 | print(message['payload']) 44 | elif message['type'] == 'error': 45 | print(message['stack']) 46 | else: 47 | print(message) 48 | 49 | jscode = """ 50 | send(Java.available); 51 | Java.perform(function () { 52 | var JingdongA = Java.use("tech.yusi.fridademo.Jingdong$a"); 53 | var Jingdong = JingdongA.a; 54 | send(Jingdong.fieldType); 55 | 56 | var JingdongInstance = Jingdong.value; 57 | var ret = JingdongInstance.a("G8", "4tar"); 58 | send(ret); 59 | 60 | }); 61 | """ 62 | 63 | script = session.create_script(jscode) 64 | script.on("message" , on_message) 65 | script.load() 66 | 67 | try: 68 | sys.stdin.read() 69 | except KeyboardInterrupt as e: 70 | session.detach() 71 | sys.exit(0) 72 | ``` 73 | 74 | -------------------------------------------------------------------------------- /frida-snippets-master/scripts/install_frida_server.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Download latest frida-server, extract, push & run on android device/emulator 3 | # adb 1.0.32, jq 1.5, xz 5.1, wget 1.17.1 4 | # sudo apt install wget jq xz 5 | 6 | # PARCH = phone architecture 7 | # if oneliner [[ == "armeabi-v7a" ]] is a dirty fix because frida's release for armeabi-v7a is just "arm" 8 | 9 | # TODO fix adb root which does not work on phones, only emulators, use `adb shell su` instead 10 | 11 | PARCH=`adb shell getprop ro.product.cpu.abi`;\ 12 | [[ "${PARCH}" == "armeabi-v7a" ]] && PARCH="arm";\ 13 | wget -q -O - https://api.github.com/repos/frida/frida/releases \ 14 | | jq '.[0] | .assets[] | select(.browser_download_url | match("server(.*?)android-'${PARCH}'*\\.xz")).browser_download_url' \ 15 | | xargs wget -q --show-progress $1 \ 16 | && unxz frida-server* \ 17 | && adb root \ 18 | && adb push frida-server* /data/local/tmp/frida-server \ 19 | && adb shell "chmod 755 /data/local/tmp/frida-server" \ 20 | && adb shell "/data/local/tmp/frida-server &" 21 | -------------------------------------------------------------------------------- /frida-snippets-master/scripts/ios_ssl_unpin.js: -------------------------------------------------------------------------------- 1 | var SecTrustEvaluate_prt = Module.findExportByName("Security", "SecTrustEvaluate"); 2 | var SecTrustEvaluate = new NativeFunction(SecTrustEvaluate_prt, "int", ["pointer", "pointer"]); 3 | Interceptor.replace(SecTrustEvaluate_prt, new NativeCallback(function(trust, result) { 4 | console.log("[*] SecTrustEvaluate(...) hit!"); 5 | SecTrustEvaluate(trust, result); // call original method 6 | Memory.writeU8(result, 1); 7 | return 0; 8 | }, "int", ["pointer", "pointer"])); 9 | -------------------------------------------------------------------------------- /frida-snippets-master/scripts/log_string_builders_and_string_compare.js: -------------------------------------------------------------------------------- 1 | Java.perform(function() { 2 | // string compare 3 | var str = Java.use('java.lang.String'), objectClass = 'java.lang.Object'; 4 | str.equals.overload(objectClass).implementation = function(obj) { 5 | var response = str.equals.overload(objectClass).call(this, obj); 6 | if (obj) { 7 | if (obj.toString().length > 5) { 8 | send(str.toString.call(this) + ' == ' + obj.toString() + ' ? ' + response); 9 | } 10 | } 11 | return response; 12 | } 13 | // log AbstractStringBuilder.toString() 14 | ['java.lang.StringBuilder', 'java.lang.StringBuffer'].forEach(function(clazz, i) { 15 | console.log('[?] ' + i + ' = ' + clazz); 16 | var func = 'toString'; 17 | Java.use(clazz)[func].implementation = function() { 18 | var ret = this[func](); 19 | send('[' + i + '] ' + ret); 20 | return ret; 21 | }; 22 | }); 23 | }); 24 | -------------------------------------------------------------------------------- /frida-snippets-master/scripts/objc_ssl_unppining_helper.js: -------------------------------------------------------------------------------- 1 | /* 2 | * By http://github.com/LotemBY * 3 | 4 | This is a frida script for unpinning and reversing of ObjC applications. 5 | Intercept method's which match regex. 6 | 7 | You may change the following regex arrays to match your needs: 8 | */ 9 | 10 | // The list of regexs for the moudle name 11 | var moduleKeyWords = [/.*/]; // (It is not recommended to search all the moudles) 12 | 13 | // The list of regexs for the method name 14 | var methodKeyWords = [/cert/i, /trust/i, /ssl/i, /verify/i, /509/]; 15 | 16 | // The list of regexs for the method to override their return value with "1" 17 | var overrideKeyWords = []; 18 | 19 | /* 20 | To run this script with frida on iPhone, follow these steps: 21 | 1. Make sure the iPhone is jailbreaked 22 | 2. Download the frida server from Cydia (package: re.frida.server) 23 | 3. Connect the iPhone to your computer with USB and open the application 24 | 4. Type in console "frida-ps -U" to get the list of running proccess on the iPhone, and find the proccess name of your app 25 | 5. Type in console "frida -U -l " to run this script 26 | 6. Now you should use the app to trigger some of the intercepted methods 27 | */ 28 | var onCompleteCallback = function (retval) {}; 29 | setImmediate(function () { 30 | if (!ObjC.available) { 31 | console.log("[-] Objective-C Runtime is not available!"); 32 | return; 33 | } 34 | 35 | console.log("=======================================================\n"); 36 | console.log("[*] Searching methods..."); 37 | 38 | var moduleUsed = false; 39 | 40 | Process.enumerateModules({ 41 | onMatch: function(module) { 42 | 43 | if (!matchesRegex(moduleKeyWords, module.name)) { 44 | return; 45 | } 46 | 47 | moduleUsed = false; 48 | Module.enumerateSymbols(module.name, { 49 | onMatch: function(exp) { 50 | if (matchesRegex(methodKeyWords, exp.name)) { 51 | if (!moduleUsed) { 52 | console.log("[*] In module \"" + module.name + "\""); 53 | moduleUsed = true; 54 | } 55 | console.log("\t[*] Matching method: \"" + exp.name + "\", Address: " + Module.findExportByName(module.name, exp.name)); 56 | 57 | if (intercept(module.name, exp.name)) { 58 | console.log("\t\t[+] Now intercepting " + exp.name); 59 | } else { 60 | console.log("\t\t[-] Could not intercept " + exp.name); 61 | } 62 | } 63 | }, 64 | onComplete: onCompleteCallback 65 | }); 66 | }, 67 | onComplete: onCompleteCallback 68 | }); 69 | 70 | console.log("[*] Completed!"); 71 | console.log("=======================================================\n\n"); 72 | }); 73 | 74 | // Return if 'str' match any of the regexs in the array 'regexList' 75 | function matchesRegex(regexList, str) { 76 | regexList.forEach(function(el) { 77 | if (str.search(el) != -1) 78 | return true; 79 | }); 80 | return false; 81 | } 82 | 83 | // Try to intercept a method by moudle name and function name. 84 | // Return 'true' on success and 'false' on failor. 85 | function intercept(module, func) { 86 | try { 87 | Interceptor.attach(Module.findExportByName(module, func), { 88 | onEnter: function(args) { 89 | console.log("[*] Method CALL:\t\"" + func + "\" called!"); 90 | }, 91 | onLeave: function (retval) { 92 | console.log("[*] Method RETURN:\t\"" + func + "\" (return value: " + retval + ")"); 93 | 94 | if (matchesRegex(overrideKeyWords, func)) { 95 | console.log("[!] CHANGED RETURN VALUE of method:\t\"" + func + "\" (new value: " + 1 + ")"); 96 | retval.replace(1); 97 | } 98 | } 99 | }); 100 | 101 | return true; 102 | } catch (err) { 103 | return false; 104 | } 105 | } 106 | -------------------------------------------------------------------------------- /frida-snippets-master/scripts/stalker.js: -------------------------------------------------------------------------------- 1 | Interceptor.attach(ObjC.classes.MyClass['- myMethod:param1'].implementation, { 2 | onEnter: function (args) { 3 | console.warn(JSON.stringify({ 4 | fname: args[1].readCString(), 5 | text: new ObjC.Object(args[2]).toString(), 6 | backtrace: Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).map(m => m.moduleName+'!'+m.name), 7 | ctx: this.context 8 | }, null, 2)); 9 | var tid = Process.getCurrentThreadId(); 10 | this.tid = tid; 11 | Stalker.follow(tid, { 12 | events: { 13 | call: true 14 | }, 15 | /* 16 | onCallSummary: function (summary) { 17 | Object.keys(summary).forEach(s => { 18 | var sym = DebugSymbol.fromAddress(ptr(s)); 19 | if (sym.moduleName == 'Viber') 20 | console.log(summary[s], sym.name); 21 | }) 22 | } 23 | */ 24 | transform: function (iterator) { 25 | var instruction; 26 | while ((instruction = iterator.next()) !== null) { 27 | iterator.keep(); 28 | if (instruction.mnemonic.startsWith('bl')) { 29 | try { 30 | console.log('#' + tid + ':' + DebugSymbol.fromAddress(ptr(instruction.operands[0].value))); 31 | } catch (e) { 32 | // ignoring branch&link to register 33 | } 34 | } 35 | } 36 | } 37 | }); 38 | }, 39 | onLeave: function (retval) { 40 | Stalker.unfollow(this.tid); 41 | Stalker.garbageCollect(); 42 | } 43 | }) 44 | -------------------------------------------------------------------------------- /frida-操作-使用.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DargonLee/ios-frida-lib/6c47ad6bced609f31a9c62846db341cf4dc6a5f8/frida-操作-使用.pdf -------------------------------------------------------------------------------- /my-frida-scripts/ApiResolver.js: -------------------------------------------------------------------------------- 1 | var resolver = new ApiResolver('objc'); 2 | resolver.enumerateMatches('*[NSFileManager *]', { 3 | onMatch: function(match) { 4 | console.log(match['name'] + ":" + match['address']); 5 | var method = match['name']; 6 | var implementation = match['address']; 7 | 8 | // 过滤需要拦截的方法 9 | if (//(method.indexOf("fileExistsAtPath") != -1) 10 | (method.indexOf("removeItemAtPath") != -1) 11 | || (method.indexOf("moveItemAtPath") != -1) 12 | || (method.indexOf("copyItemAtPath") != -1) 13 | || (method.indexOf("createFileAtPath") != -1) 14 | || (method.indexOf("createDirectoryAtPath") != -1) 15 | || (method.indexOf("enumeratorAtPath") != -1) 16 | || (method.indexOf("contentsOfDirectoryAtPath") != -1)) { 17 | 18 | console.log(match['name'] + ":" + match['address']); 19 | try { 20 | Interceptor.attach(implementation, { 21 | onEnter: function(args) { 22 | 23 | var className = ObjC.Object(args[0]); 24 | var methodName = args[1]; 25 | var filePath = ObjC.Object(args[2]); 26 | 27 | console.log("className: " + className.toString()); 28 | console.log("methodName: " + methodName.readUtf8String()); 29 | console.log("filePath: " + filePath.toString()); 30 | 31 | }, 32 | onLeave: function(retval) { 33 | 34 | } 35 | }); 36 | } catch (err) { 37 | console.log("[!] Exception: " + err.message); 38 | } 39 | } 40 | }, 41 | onComplete: function() {} 42 | }); -------------------------------------------------------------------------------- /my-frida-scripts/ObjCmethodobserver.js: -------------------------------------------------------------------------------- 1 | /* 2 | * To observe a single class by name: 3 | * observeClass('NSString'); 4 | * 5 | * To dynamically resolve methods to observe (see ApiResolver): 6 | * observeSomething('*[* *Password:*]'); 7 | */ 8 | 9 | var ISA_MASK = ptr('0x0000000ffffffff8'); 10 | var ISA_MAGIC_MASK = ptr('0x000003f000000001'); 11 | var ISA_MAGIC_VALUE = ptr('0x000001a000000001'); 12 | 13 | function observeSomething(pattern) { 14 | var resolver = new ApiResolver('objc'); 15 | var things = resolver.enumerateMatchesSync(pattern); 16 | things.forEach(function(thing) { 17 | observeMethod(thing.address, '', thing.name); 18 | }); 19 | } 20 | 21 | function observeClass(name) { 22 | var k = ObjC.classes[name]; 23 | if (!k) { 24 | return; 25 | } 26 | k.$ownMethods.forEach(function(m) { 27 | observeMethod(k[m].implementation, name, m); 28 | }); 29 | } 30 | 31 | function observeMethod(impl, name, m) { 32 | console.log('Observing ' + name + ' ' + m); 33 | Interceptor.attach(impl, { 34 | onEnter: function(a) { 35 | this.log = []; 36 | this.log.push('(' + a[0] + ') ' + name + ' ' + m); 37 | if (m.indexOf(':') !== -1) { 38 | var params = m.split(':'); 39 | params[0] = params[0].split(' ')[1]; 40 | for (var i = 0; i < params.length - 1; i++) { 41 | if (isObjC(a[2 + i])) { 42 | const theObj = new ObjC.Object(a[2 + i]); 43 | this.log.push(params[i] + ': ' + theObj.toString() + ' (' + theObj.$className + ')'); 44 | } else { 45 | this.log.push(params[i] + ': ' + a[2 + i].toString()); 46 | } 47 | } 48 | } 49 | 50 | this.log.push(Thread.backtrace(this.context, Backtracer.ACCURATE) 51 | .map(DebugSymbol.fromAddress).join("\n")); 52 | }, 53 | 54 | onLeave: function(r) { 55 | if (isObjC(r)) { 56 | this.log.push('RET: ' + new ObjC.Object(r).toString()); 57 | } else { 58 | this.log.push('RET: ' + r.toString()); 59 | } 60 | 61 | console.log(this.log.join('\n') + '\n'); 62 | } 63 | }); 64 | } 65 | 66 | function isObjC(p) { 67 | var klass = getObjCClassPtr(p); 68 | return !klass.isNull(); 69 | } 70 | 71 | function getObjCClassPtr(p) { 72 | /* 73 | * Loosely based on: 74 | * https://blog.timac.org/2016/1124-testing-if-an-arbitrary-pointer-is-a-valid-objective-c-object/ 75 | */ 76 | 77 | if (!isReadable(p)) { 78 | return NULL; 79 | } 80 | var isa = p.readPointer(); 81 | var classP = isa; 82 | if (classP.and(ISA_MAGIC_MASK).equals(ISA_MAGIC_VALUE)) { 83 | classP = isa.and(ISA_MASK); 84 | } 85 | if (isReadable(classP)) { 86 | return classP; 87 | } 88 | return NULL; 89 | } 90 | 91 | function isReadable(p) { 92 | try { 93 | p.readU8(); 94 | return true; 95 | } catch (e) { 96 | return false; 97 | } 98 | } -------------------------------------------------------------------------------- /my-frida-scripts/TestMonkey.js: -------------------------------------------------------------------------------- 1 | //获取沙盒目录 2 | function getHomeDir(){ 3 | var NSHomeDirectory = new NativeFunction(ptr(Module.findExportByName("Foundation", "NSHomeDirectory")), 'pointer', []); 4 | var path = new ObjC.Object(NSHomeDirectory()); 5 | console.log('homeDir: ' + path); 6 | return path; 7 | } 8 | 9 | //获取App目录 10 | function getAppDir(){ 11 | var bundle = ObjC.classes.NSBundle; 12 | var mainBundle = bundle.mainBundle(); 13 | var appDir = mainBundle.bundlePath(); 14 | console.log('appDir: ' + appDir); 15 | return appDir; 16 | } 17 | 18 | getHomeDir(); 19 | getAppDir(); -------------------------------------------------------------------------------- /my-frida-scripts/URLWithString_.js: -------------------------------------------------------------------------------- 1 | var className = "NSURL"; 2 | var funcName = "+ URLWithString:"; 3 | var hook = eval('ObjC.classes.' + className + '["' + funcName + '"]'); 4 | Interceptor.attach(hook.implementation, { 5 | onLeave: function(retval) { 6 | 7 | console.log("[*] Class Name: " + className); 8 | console.log("[*] Method Name: " + funcName); 9 | console.log("\t[-] Type of return value: " + typeof retval); 10 | console.log("\t[-] Original Return Value: " + retval); 11 | }, 12 | 13 | onEnter: function(args){ 14 | 15 | var className = ObjC.Object(args[0]); 16 | var methodName = args[1]; 17 | var urlString = ObjC.Object(args[2]); 18 | 19 | var file = new File("/var/mobile/log.txt","a+");//a+表示追加内容,和c语言的fopen函数模式类似 20 | console.log("className: " + className.toString()); 21 | console.log("methodName: " + methodName.readUtf8String()); 22 | console.log("urlString: " + urlString.toString()); 23 | console.log("-----------------------------------------"); 24 | 25 | urlString = ObjC.classes.NSString.stringWithString_("http://www.baidu.com") 26 | console.log("newUrlString: " + urlString.toString()); 27 | console.log("-----------------------------------------"); 28 | 29 | file.write("className: " + className.toString()); 30 | file.write("methodName: " + methodName.readUtf8String()); 31 | file.write("urlString: " + urlString.toString()); 32 | file.write("-----------------------------------------") 33 | 34 | file.flush(); 35 | file.close(); 36 | } 37 | }); -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/UUSdpManager/setupSdpHost_port_groupId_userNa_d653758f.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of +[UUSdpManager setupSdpHost:port:groupId:userName:password:loginType:complete:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call +[UUSdpManager setupSdpHost:port:groupId:userName:password:loginType:complete:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`+[UUSdpManager setupSdpHost:${args[2]} port:${args[3]} groupId:${args[4]} userName:${args[5]} password:${args[6]} loginType:${args[7]} complete:${args[8]}]`); 24 | console.log(ObjC.Object(args[2]).toString()); 25 | console.log(ObjC.Object(args[3]).toString()); 26 | console.log(ObjC.Object(args[4]).toString()); 27 | console.log(ObjC.Object(args[5]).toString()); 28 | console.log(ObjC.Object(args[6]).toString()); 29 | console.log(ObjC.Object(args[7]).toString()); 30 | // args[4] = ObjC.classes.NSString.stringWithString_("group.com.zhizhangyi.mos") 31 | var url = ObjC.classes.NSFileManager.defaultManager().containerURLForSecurityApplicationGroupIdentifier_("group.com.jnit.ngpt"); 32 | console.log(ObjC.Object(url).absoluteString()); 33 | }, 34 | 35 | /** 36 | * Called synchronously when about to return from +[UUSdpManager setupSdpHost:port:groupId:userName:password:loginType:complete:]. 37 | * 38 | * See onEnter for details. 39 | * 40 | * @this {object} - Object allowing you to access state stored in onEnter. 41 | * @param {function} log - Call this function with a string to be presented to the user. 42 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 43 | * @param {object} state - Object allowing you to keep state across function calls. 44 | */ 45 | onLeave(log, retval, state) { 46 | 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYLottieAnimationButton/.cxx_destruct.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYLottieAnimationButton .cxx_destruct]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYLottieAnimationButton .cxx_destruct]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYLottieAnimationButton .cxx_destruct]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYLottieAnimationButton .cxx_destruct]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYLottieAnimationButton/animationView.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYLottieAnimationButton animationView]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYLottieAnimationButton animationView]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYLottieAnimationButton animationView]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYLottieAnimationButton animationView]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYLottieAnimationButton/enableAutoAnimation.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYLottieAnimationButton enableAutoAnimation]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYLottieAnimationButton enableAutoAnimation]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYLottieAnimationButton enableAutoAnimation]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYLottieAnimationButton enableAutoAnimation]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYLottieAnimationButton/hideAnimationView.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYLottieAnimationButton hideAnimationView]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYLottieAnimationButton hideAnimationView]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYLottieAnimationButton hideAnimationView]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYLottieAnimationButton hideAnimationView]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYLottieAnimationButton/initComponent.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYLottieAnimationButton initComponent]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYLottieAnimationButton initComponent]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYLottieAnimationButton initComponent]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYLottieAnimationButton initComponent]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYLottieAnimationButton/initWithCoder_.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYLottieAnimationButton initWithCoder:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYLottieAnimationButton initWithCoder:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYLottieAnimationButton initWithCoder:${args[2]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYLottieAnimationButton initWithCoder:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYLottieAnimationButton/initWithType_.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYLottieAnimationButton initWithType:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYLottieAnimationButton initWithType:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYLottieAnimationButton initWithType:${args[2]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYLottieAnimationButton initWithType:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYLottieAnimationButton/layoutSubviews.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYLottieAnimationButton layoutSubviews]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYLottieAnimationButton layoutSubviews]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYLottieAnimationButton layoutSubviews]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYLottieAnimationButton layoutSubviews]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYLottieAnimationButton/limitSizeForButton.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYLottieAnimationButton limitSizeForButton]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYLottieAnimationButton limitSizeForButton]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYLottieAnimationButton limitSizeForButton]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYLottieAnimationButton limitSizeForButton]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYLottieAnimationButton/maskView.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYLottieAnimationButton maskView]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYLottieAnimationButton maskView]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYLottieAnimationButton maskView]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYLottieAnimationButton maskView]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYLottieAnimationButton/playAnimationManually.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYLottieAnimationButton playAnimationManually]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYLottieAnimationButton playAnimationManually]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYLottieAnimationButton playAnimationManually]`); 24 | console.log('\tBacktrace:\n\t' + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n\t')); 25 | }, 26 | 27 | /** 28 | * Called synchronously when about to return from -[XYLottieAnimationButton playAnimationManually]. 29 | * 30 | * See onEnter for details. 31 | * 32 | * @this {object} - Object allowing you to access state stored in onEnter. 33 | * @param {function} log - Call this function with a string to be presented to the user. 34 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 35 | * @param {object} state - Object allowing you to keep state across function calls. 36 | */ 37 | onLeave(log, retval, state) { 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYLottieAnimationButton/playAnimationWithAnimated_.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYLottieAnimationButton playAnimationWithAnimated:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYLottieAnimationButton playAnimationWithAnimated:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYLottieAnimationButton playAnimationWithAnimated:${args[2]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYLottieAnimationButton playAnimationWithAnimated:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYLottieAnimationButton/removeTarget_action_forControlEvents_.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYLottieAnimationButton removeTarget:action:forControlEvents:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYLottieAnimationButton removeTarget:action:forControlEvents:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYLottieAnimationButton removeTarget:${args[2]} action:${args[3]} forControlEvents:${args[4]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYLottieAnimationButton removeTarget:action:forControlEvents:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYLottieAnimationButton/setAnimationViewScale_.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYLottieAnimationButton setAnimationViewScale:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYLottieAnimationButton setAnimationViewScale:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYLottieAnimationButton setAnimationViewScale:${args[2]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYLottieAnimationButton setAnimationViewScale:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYLottieAnimationButton/setAnimationView_.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYLottieAnimationButton setAnimationView:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYLottieAnimationButton setAnimationView:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYLottieAnimationButton setAnimationView:${args[2]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYLottieAnimationButton setAnimationView:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYLottieAnimationButton/setEnableAutoAnimation_.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYLottieAnimationButton setEnableAutoAnimation:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYLottieAnimationButton setEnableAutoAnimation:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYLottieAnimationButton setEnableAutoAnimation:${args[2]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYLottieAnimationButton setEnableAutoAnimation:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYLottieAnimationButton/setLimitSizeForButton_.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYLottieAnimationButton setLimitSizeForButton:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYLottieAnimationButton setLimitSizeForButton:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYLottieAnimationButton setLimitSizeForButton:${args[2]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYLottieAnimationButton setLimitSizeForButton:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYLottieAnimationButton/setMaskView_.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYLottieAnimationButton setMaskView:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYLottieAnimationButton setMaskView:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYLottieAnimationButton setMaskView:${args[2]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYLottieAnimationButton setMaskView:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYLottieAnimationButton/setSelected_.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYLottieAnimationButton setSelected:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYLottieAnimationButton setSelected:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYLottieAnimationButton setSelected:${args[2]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYLottieAnimationButton setSelected:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYLottieAnimationButton/setType_.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYLottieAnimationButton setType:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYLottieAnimationButton setType:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYLottieAnimationButton setType:${args[2]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYLottieAnimationButton setType:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYLottieAnimationButton/setWebAnimation_darkUrl_forState_c07ef5c6.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYLottieAnimationButton setWebAnimation:darkUrl:forState:completion:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYLottieAnimationButton setWebAnimation:darkUrl:forState:completion:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYLottieAnimationButton setWebAnimation:${args[2]} darkUrl:${args[3]} forState:${args[4]} completion:${args[5]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYLottieAnimationButton setWebAnimation:darkUrl:forState:completion:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYLottieAnimationButton/setWebAnimation_forState_completion_.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYLottieAnimationButton setWebAnimation:forState:completion:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYLottieAnimationButton setWebAnimation:forState:completion:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYLottieAnimationButton setWebAnimation:${args[2]} forState:${args[3]} completion:${args[4]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYLottieAnimationButton setWebAnimation:forState:completion:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYLottieAnimationButton/triggerAnimation_.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYLottieAnimationButton triggerAnimation:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYLottieAnimationButton triggerAnimation:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYLottieAnimationButton triggerAnimation:${args[2]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYLottieAnimationButton triggerAnimation:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYLottieAnimationButton/type.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYLottieAnimationButton type]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYLottieAnimationButton type]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYLottieAnimationButton type]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYLottieAnimationButton type]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYNoteLikeButton/pointInside_withEvent_.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYNoteLikeButton pointInside:withEvent:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYNoteLikeButton pointInside:withEvent:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYNoteLikeButton pointInside:${args[2]} withEvent:${args[3]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYNoteLikeButton pointInside:withEvent:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYRotatePlayerView/canLandscape.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYRotatePlayerView canLandscape]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYRotatePlayerView canLandscape]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYRotatePlayerView canLandscape]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYRotatePlayerView canLandscape]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYRotatePlayerView/commInit.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYRotatePlayerView commInit]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYRotatePlayerView commInit]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYRotatePlayerView commInit]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYRotatePlayerView commInit]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYRotatePlayerView/configLandScapeParentViewController_.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYRotatePlayerView configLandScapeParentViewController:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYRotatePlayerView configLandScapeParentViewController:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYRotatePlayerView configLandScapeParentViewController:${args[2]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYRotatePlayerView configLandScapeParentViewController:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYRotatePlayerView/handleDeviceOrientationDidChange_.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYRotatePlayerView handleDeviceOrientationDidChange:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYRotatePlayerView handleDeviceOrientationDidChange:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYRotatePlayerView handleDeviceOrientationDidChange:${args[2]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYRotatePlayerView handleDeviceOrientationDidChange:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYRotatePlayerView/setCanLandscape_.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYRotatePlayerView setCanLandscape:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYRotatePlayerView setCanLandscape:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYRotatePlayerView setCanLandscape:${args[2]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYRotatePlayerView setCanLandscape:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYRotatePlayerView/setShouldAutoLandscape_.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYRotatePlayerView setShouldAutoLandscape:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYRotatePlayerView setShouldAutoLandscape:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYRotatePlayerView setShouldAutoLandscape:${args[2]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYRotatePlayerView setShouldAutoLandscape:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYRotatePlayerView/shouldAutoLandscape.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYRotatePlayerView shouldAutoLandscape]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYRotatePlayerView shouldAutoLandscape]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYRotatePlayerView shouldAutoLandscape]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYRotatePlayerView shouldAutoLandscape]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYRotatePlayerView/updateToFullScreen_.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYRotatePlayerView updateToFullScreen:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYRotatePlayerView updateToFullScreen:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYRotatePlayerView updateToFullScreen:${args[2]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYRotatePlayerView updateToFullScreen:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYRotatePlayerView/updateToFullScreen_direction_.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYRotatePlayerView updateToFullScreen:direction:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYRotatePlayerView updateToFullScreen:direction:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYRotatePlayerView updateToFullScreen:${args[2]} direction:${args[3]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYRotatePlayerView updateToFullScreen:direction:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYRotatePlayerView/viewActive.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYRotatePlayerView viewActive]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYRotatePlayerView viewActive]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYRotatePlayerView viewActive]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYRotatePlayerView viewActive]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/XYRotatePlayerView/viewInactive.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[XYRotatePlayerView viewInactive]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[XYRotatePlayerView viewInactive]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[XYRotatePlayerView viewInactive]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[XYRotatePlayerView viewInactive]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/_TtCC12XYNoteModule17CommentEntityView10LikeButton/.cxx_destruct.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[_TtCC12XYNoteModule17CommentEntityView10LikeButton .cxx_destruct]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[_TtCC12XYNoteModule17CommentEntityView10LikeButton .cxx_destruct]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[_TtCC12XYNoteModule17CommentEntityView10LikeButton .cxx_destruct]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[_TtCC12XYNoteModule17CommentEntityView10LikeButton .cxx_destruct]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/_TtCC12XYNoteModule17CommentEntityView10LikeButton/initWithCoder_.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[_TtCC12XYNoteModule17CommentEntityView10LikeButton initWithCoder:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[_TtCC12XYNoteModule17CommentEntityView10LikeButton initWithCoder:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[_TtCC12XYNoteModule17CommentEntityView10LikeButton initWithCoder:${args[2]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[_TtCC12XYNoteModule17CommentEntityView10LikeButton initWithCoder:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/_TtCC12XYNoteModule17CommentEntityView10LikeButton/initWithFrame_.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[_TtCC12XYNoteModule17CommentEntityView10LikeButton initWithFrame:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[_TtCC12XYNoteModule17CommentEntityView10LikeButton initWithFrame:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[_TtCC12XYNoteModule17CommentEntityView10LikeButton initWithFrame:${args[2]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[_TtCC12XYNoteModule17CommentEntityView10LikeButton initWithFrame:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/_TtCC12XYNoteModule17CommentEntityView10LikeButton/initWithType_.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[_TtCC12XYNoteModule17CommentEntityView10LikeButton initWithType:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[_TtCC12XYNoteModule17CommentEntityView10LikeButton initWithType:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[_TtCC12XYNoteModule17CommentEntityView10LikeButton initWithType:${args[2]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[_TtCC12XYNoteModule17CommentEntityView10LikeButton initWithType:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/__handlers__/_TtCC12XYNoteModule17CommentEntityView10LikeButton/setAttributedTitle_forState_.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Auto-generated by Frida. Please modify to match the signature of -[_TtCC12XYNoteModule17CommentEntityView10LikeButton setAttributedTitle:forState:]. 3 | * This stub is currently auto-generated from manpages when available. 4 | * 5 | * For full API reference, see: https://frida.re/docs/javascript-api/ 6 | */ 7 | 8 | { 9 | /** 10 | * Called synchronously when about to call -[_TtCC12XYNoteModule17CommentEntityView10LikeButton setAttributedTitle:forState:]. 11 | * 12 | * @this {object} - Object allowing you to store state for use in onLeave. 13 | * @param {function} log - Call this function with a string to be presented to the user. 14 | * @param {array} args - Function arguments represented as an array of NativePointer objects. 15 | * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8. 16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array. 17 | * @param {object} state - Object allowing you to keep state across function calls. 18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions. 19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead 20 | * use "this" which is an object for keeping state local to an invocation. 21 | */ 22 | onEnter(log, args, state) { 23 | log(`-[_TtCC12XYNoteModule17CommentEntityView10LikeButton setAttributedTitle:${args[2]} forState:${args[3]}]`); 24 | }, 25 | 26 | /** 27 | * Called synchronously when about to return from -[_TtCC12XYNoteModule17CommentEntityView10LikeButton setAttributedTitle:forState:]. 28 | * 29 | * See onEnter for details. 30 | * 31 | * @this {object} - Object allowing you to access state stored in onEnter. 32 | * @param {function} log - Call this function with a string to be presented to the user. 33 | * @param {NativePointer} retval - Return value represented as a NativePointer object. 34 | * @param {object} state - Object allowing you to keep state across function calls. 35 | */ 36 | onLeave(log, retval, state) { 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /my-frida-scripts/app.js: -------------------------------------------------------------------------------- 1 | 'use strict'; 2 | 3 | rpc.exports = { 4 | add(a, b) { 5 | return a + b; 6 | }, 7 | sub(a, b) { 8 | return new Promise(resolve => { 9 | setTimeout(() => { 10 | resolve(a - b); 11 | }, 100); 12 | }); 13 | }, 14 | alert(title, message) { 15 | const UIAlertController = ObjC.classes.UIAlertController; 16 | const UIAlertAction = ObjC.classes.UIAlertAction; 17 | const UIApplication = ObjC.classes.UIApplication; 18 | 19 | // Defining a Block that will be passed as handler parameter to +[UIAlertAction actionWithTitle:style:handler:] 20 | var handler = new ObjC.Block({ 21 | retType: 'void', 22 | argTypes: ['object'], 23 | implementation: function() {} 24 | }); 25 | 26 | // Using Grand Central Dispatch to pass messages (invoke methods) in application's main thread 27 | ObjC.schedule(ObjC.mainQueue, function() { 28 | // Using integer numerals for preferredStyle which is of type enum UIAlertControllerStyle 29 | var alert = UIAlertController.alertControllerWithTitle_message_preferredStyle_(title, message, 1); 30 | // Again using integer numeral for style parameter that is enum 31 | var defaultAction = UIAlertAction.actionWithTitle_style_handler_('OK', 0, handler); 32 | alert.addAction_(defaultAction); 33 | // Instead of using `ObjC.choose()` and looking for UIViewController instances 34 | // on the heap, we have direct access through UIApplication: 35 | UIApplication.sharedApplication().keyWindow().rootViewController().presentViewController_animated_completion_(alert, true, NULL); 36 | }) 37 | }, 38 | installed() { 39 | var ws = ObjC.classes.LSApplicationWorkspace.defaultWorkspace(); 40 | var apps = ws.allInstalledApplications(); 41 | var result = []; 42 | for (var i = 0; i < apps.count(); i++) { 43 | var proxy = apps.objectAtIndex_(i); 44 | var out = {}; 45 | out["displayName"] = proxy.localizedName().toString(); 46 | out["bundleIdentifier"] = proxy.bundleIdentifier().toString(); 47 | out["bundlePath"] = proxy.bundleURL().toString(); 48 | out["dataPath"] = [proxy.dataContainerURL(), ''].join('Documents'); 49 | out["executablePath"] = [proxy.bundleURL().toString(), proxy.bundleExecutable().toString()].join(''); 50 | 51 | out["vsaPath"] = "NO"; 52 | const vsaPath = out["bundlePath"].slice(8) + 'emmlib.framework/emmlib'; 53 | var mgr = ObjC.classes.NSFileManager.defaultManager(); 54 | const isExitVsa = mgr.fileExistsAtPath_(vsaPath).toString(); 55 | out["vsaPath"] = isExitVsa; 56 | 57 | 58 | result.push(out); 59 | } 60 | return result; 61 | } 62 | }; 63 | 64 | function handleMessage(message) { 65 | const cmd = message['cmd']; 66 | if (cmd == 'installed') { 67 | 68 | } 69 | 70 | send({status: 'success'}); 71 | } 72 | 73 | recv(handleMessage); -------------------------------------------------------------------------------- /my-frida-scripts/iOSAppAllClassesMethods Hooks.js: -------------------------------------------------------------------------------- 1 | function get_timestamp() 2 | { 3 | var today = new Date(); 4 | var timestamp = today.getFullYear() + '-' + (today.getMonth()+1) + '-' + today.getDate() + ' ' + today.getHours() + ":" + today.getMinutes() + ":" + today.getSeconds() + ":" + today.getMilliseconds(); 5 | return timestamp; 6 | } 7 | 8 | function hook_class_method(class_name, method_name) 9 | { 10 | var hook = eval('ObjC.classes.'+class_name+'["'+method_name+'"]'); 11 | Interceptor.attach(hook.implementation, { 12 | onEnter: function(args) { 13 | console.log("[*] [" + get_timestamp() + " ] Detected call to: " + class_name + " -> " + method_name); 14 | } 15 | }); 16 | } 17 | 18 | function run_hook_all_methods_of_classes_app_only() 19 | { 20 | console.log("[*] Started: Hook all methods of all app only classes"); 21 | var free = new NativeFunction(Module.findExportByName(null, 'free'), 'void', ['pointer']) 22 | var copyClassNamesForImage = new NativeFunction(Module.findExportByName(null, 'objc_copyClassNamesForImage'), 'pointer', ['pointer', 'pointer']) 23 | var p = Memory.alloc(Process.pointerSize) 24 | Memory.writeUInt(p, 0) 25 | var path = ObjC.classes.NSBundle.mainBundle().executablePath().UTF8String() 26 | var pPath = Memory.allocUtf8String(path) 27 | var pClasses = copyClassNamesForImage(pPath, p) 28 | var count = Memory.readUInt(p) 29 | var classesArray = new Array(count) 30 | for (var i = 0; i < count; i++) 31 | { 32 | var pClassName = Memory.readPointer(pClasses.add(i * Process.pointerSize)) 33 | classesArray[i] = Memory.readUtf8String(pClassName) 34 | var className = classesArray[i] 35 | if (ObjC.classes.hasOwnProperty(className)) 36 | { 37 | console.log("[+] Class: " + className); 38 | //var methods = ObjC.classes[className].$methods; 39 | var methods = ObjC.classes[className].$ownMethods; 40 | for (var j = 0; j < methods.length; j++) 41 | { 42 | try 43 | { 44 | var className2 = className; 45 | var funcName2 = methods[j]; 46 | console.log("[-] Method: " + methods[j]); 47 | hook_class_method(className2, funcName2); 48 | console.log("[*] [" + get_timestamp() + "] Hooking successful: " + className2 + " -> " + funcName2); 49 | } 50 | catch(err) 51 | { 52 | console.log("[*] [" + get_timestamp() + "] Hooking Error: " + err.message); 53 | } 54 | } 55 | } 56 | } 57 | free(pClasses) 58 | console.log("[*] Completed: Hook all methods of all app only classes"); 59 | } 60 | 61 | function hook_all_methods_of_classes_app_only() 62 | { 63 | setImmediate(run_hook_all_methods_of_classes_app_only) 64 | } 65 | 66 | hook_all_methods_of_classes_app_only() -------------------------------------------------------------------------------- /my-frida-scripts/ios-app-info.js: -------------------------------------------------------------------------------- 1 | 2 | function dictFromNSDictionary(nsDict) { 3 | var jsDict = {}; 4 | var keys = nsDict.allKeys(); 5 | var count = keys.count(); 6 | for (var i = 0; i < count; i++) { 7 | var key = keys.objectAtIndex_(i); 8 | var value = nsDict.objectForKey_(key); 9 | jsDict[key.toString()] = value.toString(); 10 | } 11 | 12 | return jsDict; 13 | } 14 | 15 | function arrayFromNSArray(nsArray) { 16 | var jsArray = []; 17 | var count = nsArray.count(); 18 | for (var i = 0; i < count; i++) { 19 | jsArray[i] = nsArray.objectAtIndex_(i).toString(); 20 | } 21 | return jsArray; 22 | } 23 | 24 | function infoDictionary() { 25 | if (ObjC.available && "NSBundle" in ObjC.classes) { 26 | var info = ObjC.classes.NSBundle.mainBundle().infoDictionary(); 27 | return dictFromNSDictionary(info); 28 | } 29 | return null; 30 | } 31 | 32 | function infoLookup(key) { 33 | if (ObjC.available && "NSBundle" in ObjC.classes) { 34 | var info = ObjC.classes.NSBundle.mainBundle().infoDictionary(); 35 | var value = info.objectForKey_(key); 36 | if (value === null) { 37 | return value; 38 | } else if (value.class().toString() === "__NSCFArray") { 39 | return arrayFromNSArray(value); 40 | } else if (value.class().toString() === "__NSCFDictionary") { 41 | return dictFromNSDictionary(value); 42 | } else { 43 | return value.toString(); 44 | } 45 | } 46 | return null; 47 | } 48 | 49 | function appInfo() { 50 | var output = {}; 51 | output["Name"] = infoLookup("CFBundleName"); 52 | output["Bundle ID"] = ObjC.classes.NSBundle.mainBundle().bundleIdentifier().toString(); 53 | output["Version"] = infoLookup("CFBundleVersion"); 54 | output["Bundle"] = ObjC.classes.NSBundle.mainBundle().bundlePath().toString(); 55 | output["Data"] = ObjC.classes.NSProcessInfo.processInfo().environment().objectForKey_("HOME").toString(); 56 | output["Binary"] = ObjC.classes.NSBundle.mainBundle().executablePath().toString(); 57 | return output; 58 | } -------------------------------------------------------------------------------- /my-frida-scripts/raptor_frida_ios_autoIntercept.js: -------------------------------------------------------------------------------- 1 | /* 2 | * raptor_frida_ios_*.js - Frida script snippets for iOS 3 | * Copyright (c) 2017 Marco Ivaldi 4 | * 5 | * Frida.re JS script snippets for iOS/ObjC instrumentation. 6 | * See https://www.frida.re/ and https://codeshare.frida.re/ 7 | * for further information on this powerful tool. 8 | * 9 | * "We want to help others achieve interop through reverse 10 | * engineering" -- @oleavr 11 | * 12 | * Many thanks to Maurizio Agazzini 13 | * and Federico Dotta . 14 | * 15 | * Example usage: 16 | * # frida -U -f com.xxx.yyy -l raptor_frida_ios.js --no-pause 17 | */ 18 | 19 | // print arg/ret type 20 | function printType(desc, arg) { 21 | try { 22 | console.log(desc + ObjC.Object(arg).$class + " " + ObjC.Object(arg).$className); 23 | } catch (err) { 24 | console.log(err) 25 | } 26 | } 27 | 28 | // print arg/ret value 29 | function printValue(desc, arg) { 30 | try { 31 | console.log(desc + ObjC.Object(arg)); 32 | } catch (err) { 33 | console.log(desc + arg); 34 | } 35 | } 36 | 37 | // main interceptor 38 | function autoIntercept(target) { 39 | var className = target.match(/^[-+]\[(.*)\s/)[1]; 40 | var methodType = target.match(/^([-+])/)[1]; 41 | var methodName = target.match(/^[-+]\[.*\s(.*)\]/)[1]; 42 | var argCount = (methodName.match(/:/g) || []).length; 43 | 44 | console.log("\n[-]info: trying to intercept", target); 45 | var oldImpl = ObjC.classes[className][methodType + " " + methodName]; 46 | 47 | Interceptor.attach(oldImpl.implementation, { 48 | 49 | onEnter: function(args) { 50 | console.log("\n[-] *** Entered", target, "***"); 51 | for (var i = 0; i < argCount; i++) { 52 | printType("\n[-]arg " + (i + 1) + " type:\t", args[i + 2]); 53 | printValue("[-]arg " + (i + 1) + " value:\t", args[i + 2]); 54 | } 55 | }, 56 | 57 | onLeave: function(retval) { 58 | printType("\n[-]retval type:\t", retval); 59 | printValue("[-]retval value:\t", retval); 60 | console.log("\n[-]*** Exiting", target, "***"); 61 | } 62 | 63 | }); 64 | } 65 | 66 | function Intercept(method) { 67 | if (ObjC.available) { 68 | autoIntercept(method); 69 | } else { 70 | console.log("error: Objective-C Runtime is not available!"); 71 | } 72 | } -------------------------------------------------------------------------------- /testmaco.py: -------------------------------------------------------------------------------- 1 | import frida 2 | import sys 3 | 4 | 5 | def on_message(message, data): 6 | print("[{}] => {}".format(message, data)) 7 | 8 | 9 | def main(target_process): 10 | session = frida.attach(target_process) 11 | 12 | script = session.create_script( 13 | """ 14 | const appWillFinishLaunching = ObjC.classes.NSApplicationDelegate['- applicationWillFinishLaunching:']; 15 | Interceptor.attach(appWillFinishLaunching.implementation, { 16 | onEnter(args) { 17 | // As this is an Objective-C method, the arguments are as follows: 18 | // 0. 'self' 19 | // 1. The selector (applicationWillFinishLaunching:) 20 | // 2. The first argument to this method 21 | const notification = new ObjC.Object(args[2]); 22 | 23 | // Convert it to a JS string and log it 24 | const notificationStr = notification.absoluteString().toString(); 25 | console.log('Will finish launching with notification: ' + notificationStr); 26 | } 27 | }); 28 | """ 29 | ) 30 | script.on("message", on_message) 31 | script.load() 32 | print("[!] Ctrl+D or Ctrl+Z to detach from instrumented program.\n\n") 33 | sys.stdin.read() 34 | session.detach() 35 | 36 | 37 | if __name__ == "__main__": 38 | main("Safari") 39 | --------------------------------------------------------------------------------